In 2020, the European Court of Justice identified the inadequate data protection regulations in the United States, which greatly unsettled European companies, authorities, and individuals. Customers and agencies, especially those who use services from US providers such as Google, Meta, Cloudflare, or Amazon, were affected by constant threats of prohibitions and fines from supervisory authorities. Now comes the Trans-Atlantic Data Privacy Framework (TADPF). TADPF aims to reduce uncertainties and provide legal certainty for companies. However, it is feared that it could be only temporary, as data protection advocates criticize it and call for the European Court of Justice to repeal it. This article explains the functions and benefits of TADPF and points out potential risks of future overturning. It should be noted that this article does not constitute legal advice.
The TADPF is an agreement between the EU Commission and the US Department of Commerce in which the US commits to improving its level of data protection while the EU Commission declares the transfer of data to the US as adequate. The goal of the TADPF is to ensure the legally secure transfer of personal data from the EU to the US. It is a decision for mutual agreement on new/extended regulations, which by no means describe legislation.
The GDPR generally prohibits the transfer of personal data to "third countries" outside the EU (Art. 44 to 49 GDPR). The USA is an example of such a third country.
However, a transfer is possible if an adequate level of data protection can be established in the third country. This is possible in the following cases:
- The EU Commission establishes an adequate level of data protection, e.g. for Switzerland, New Zealand, Andorra, Argentina, Faroe Islands, Guernsey, Japan, Korea, Canada, Israel, and the UK. US companies can also have an adequate level of data protection if they undergo a specific self-certification process.
- Standard contractual clauses are model contracts of the EU Commission that oblige contractual partners to comply with the European level of data protection. However, they only allow data transfers if the EU level of data protection is actually maintained.
- Companies can also establish binding corporate rules for data protection, but this alternative is rare and requires external certification or its own inspection.
- Consent of the data subjects is possible as a last resort, but is cumbersome and can fail due to lack of transparency, explicit consent, or lack of voluntariness.
- Further exceptions can be found in Art. 49 GDPR.
Whether data in the USA is processed by tech companies such as Amazon, Google, Cloudflare, Open AI, or Meta depends on standard contractual clauses to ensure the admissibility of data processing in the USA. TADPF is now intended to change this and provide greater legal certainty.
The Trans-Atlantic Data Privacy Framework (TADPF) already had two predecessors named "Safe Harbor" and "Privacy Shield", which were similarly structured. However, these assurances to ensure an adequate level of data protection were called into question by the revelations of Edward Snowden, who showed that US intelligence agencies had massive access to data of EU citizens.
As a result, lawsuits were filed and the European Court of Justice declared the adequacy decisions in 2015 (ECJ, 06.10.2015 - C-362/14 "Schrems I") and 2020 (ECJ, 16.07.2020 - C-311/18 "Schrems II") ineffective, as there was a lack of adequate data protection level in the USA. This violated the fundamental rights of EU citizens to privacy, data protection, proportionality and an effective remedy.
To prevent the TADPF from suffering the same fate, the USA has taken far-reaching measures to ensure an adequate level of data protection, contrary to the previous agreements.
An essential advantage of the Trans-Atlantic Privacy Framework (TADPF) is that it not only represents a contractual commitment by American companies to ensure adequate data protection. It goes beyond that, as we know that US intelligence agencies could theoretically override such contractual clauses. In the course of implementing the TADPF, the United States has actually restricted the powers of its intelligence agencies with regard to access to data from EU citizens, while at the same time strengthening their legal position. This was done through the "Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities," which US President Biden issued on October 7, 2022. For EU citizens whose personal data is transferred to the United States, this new executive order brings the following improvements in particular:
- Proportionality:US intelligence agencies must now also check whether access to the data of EU citizens is proportionate.
- Complaints procedure:EU citizens can submit a complaint to the "Civil Liberties Protection Officer" of the US intelligence agencies to protect their privacy and fundamental rights.
- Review procedure:At the second level, individuals can challenge the decision of the "Civil Liberties Protection Officer" before the newly created "Data Protection Review Court." The Review Court is composed of independent members who can only be dismissed for serious reasons, such as a criminal conviction. It can investigate complaints from EU citizens, request relevant information from intelligence agencies, and make binding decisions, including ordering the deletion of data if it was collected in violation of the protection measures provided for in the executive order.
The European Court of Justice (ECJ) must decide whether these measures are sufficient to prevent the risk of data misuse by US intelligence agencies. Critics of data transfers to the United States are skeptical that the commitment is sufficient. However, the legal situation has improved, so the ECJ's ruling to invalidate the "Privacy Shield" cannot simply be applied to the current situation.
Currently, US service providers certified under the Trans-Atlantic Data Privacy Framework are legally secure. The EU and the US have agreed on better data protection measures for EU citizens, and the EU Commission has determined an adequate level of data protection in the US.
(1) Personal data may be transferred to a third country or an international organization if the Commission has decided that the third country or organization in question provides an adequate level of protection. In this case, no authorization is required.
However, there are concerns regarding data protection measures in the United States. Privacy advocates consider these measures to be insufficient, and there is a possibility that the Privacy Shield will be declared invalid by the European Court of Justice in the next 3-5 years. Companies that use U.S. service providers should take this risk into account.
Unlike the adequacy decisions for Switzerland or the United Kingdom, the decision on data protection under the TADPF does not apply to the entire United States. Instead, US companies must certify themselves in order to use the decision. Companies such as Meta, Google, Microsoft, AWS, etc., which have many EU users or customers, will soon do so. The certified US companies will be listed in a database, as was the case with the predecessor "Privacy Shield"; soon the first listings will be live. The respective companies can be searched for there, but they can only benefit from the adequacy of the level of data protection in certain areas of the company.
On February 28, 2023, the European Data Protection Board (EDPB) issued a statement on the draft adequacy decision for data transfers between the EU and the USA. Although the EDPB still has concerns and needs for clarifications, it welcomes the improvements in the draft overall. This could be seen as a positive sign for the TADPF. The EDPB's approval is dependent on the actual and practical implementation of the proposed adjustments by the USA. In summary, the EDPB's statement suggests an optimistic outlook, as the agreement would address the main criticisms of the "Schrems II" ruling. However, the EDPB's statement is not binding for the ECJ, so the TADPF could still be declared invalid.
The European Data Protection Board:The European Data Protection Board (EDPB) is an EU institution that ensures the application and harmonization of the General Data Protection Regulation (GDPR) throughout the European Union. It consists of the heads of national data protection authorities and the European Data Protection Supervisor. The EDPB issues guidelines and contributes to the development of standards in the field of data protection.
The EU Commission's adequacy decision is not legislation, but it provides a GDPR-compliant basis for data transfers to the USA as long as it does not become ineffective.
Although German data protection authorities consider the level of data protection in the USA to be insufficient, there are no fines or prohibitions on the use of US providers subject to the Trans-Atlantic Data Privacy Framework.
However, if the Trans-Atlantic Data Privacy Framework is declared ineffective by the ECJ, the use of US services must be reassessed. If your company is closely linked to US companies and data processed under your responsibility is located on servers in the USA, you may be in violation of the GDPR and face fines or prohibitions.
Yes! A reference to an adequacy decision regarding the transfer of data to third countries is a mandatory information in a privacy policy (Art. 13 para. 1 lit. f GDPR).
[…] At the time of collecting this data, the data controller informs the data subject of the following: [...] the data controller's intention to transfer the personal data to a third country or international organization, as well as the existence or absence of an adequacy decision by the Commission […].
When indicating the recipients of your data transfers in accordance with Art. 13 para. 1 lit. e GDPR, you should indicate whether you fall under the scope of the Commission's adequacy decision and thus under the EDPB.
If you’ve further questions or you need help for implementation, feel free to contact us anytime.
