After the European Union (EU) and the United States of America (USA) had been negotiating the legal framework for transatlantic data traffic for months, new laws were passed in the USA to protect personal data.
As a result, the European Commission has now surprisingly quickly determined that the USA guarantees an adequate level of protection for personal data, comparable to that of the EU. This adequacy decision now considerably simplifies cross-border data processing.
Data transfer to the USA
An appropriate level of data protection is a basic requirement for data transfer to non-EU countries. The data controller must guarantee this in order to protect the rights of the data subjects. Otherwise, data transmission is not permitted.
After the European Court of Justice (ECJ) overturned the previous EU-US “Safe Habour” and “Privacy Shield” agreements, data transfer to the USA was only permitted – if at all – with case-by-case measures to ensure an appropriate level of protection. This led to considerable concerns among companies using US software or systems. However, it was practically impossible to dispense with the typically American tech market leaders, which is why practicable transitional solutions have often led to claims for damages and fines.
The European Commission’s new adequacy decision has now resolved this issue for the time being: US systems can be used under the same data protection requirements as European systems if they have signed up to the EU-US data protection framework.
Legal basis
The admissibility of a data transfer to non-EU countries under data protection law is examined in two steps:
- Is the data processing itself permissible?
As in Germany, it must first be checked whether the data processing itself by the foreign company is permissible under European data protection regulations (e.g. due to contract fulfillment or consent). - Is there an adequate level of data protection in the third country?
The question then arises as to whether the third country has an adequate level of data protection to ensure secure and protected data processing as in the European Union. This feature is therefore added for data processing in non-EU countries. This highly problematic point of examination is unnecessary if an adequacy decision by the EU Commission pursuant to Art. 45 para. 3 General Data Protection Regulation (GDPR), as is now the case in the USA.
Consequences for practice
US-related data processing measures are now permitted if they comply with the existing European requirements, for example if they are based on a legal basis such as consent. The advantage is therefore that US companies are not excluded per se from many processing measures.
Nevertheless, these companies must have undergone a certification process. Otherwise, special data protection measures are still required.
Companies should therefore ensure that they only use certified partners in future. The exact form of the certification – e.g. as a seal – remains to be seen a few days after the adequacy decision has been issued, as does the opinion of the ECJ on the legality of the regulations.
Conclusion
The new adequacy decision makes data transfer with the USA considerably easier and creates legal certainty for many companies. Although the practical design remains to be seen, the new data protection framework between the EU and the USA gives hope for positive effects through technical progress with a secure level of data protection.
