On the 10th of July 2023 the EU commission adopted the adequacy decision for the EU-U.S. Data Privacy Framework (successor to the "Privacy Shield").
"The European Commission has certified the successor to the "Privacy Shield" as having an adequate level of protection. With the new adequacy decision, personal data can now flow from the EU to the USA again without the need for further transfer instruments or additional measures." /// source: BfDI
But be careful! Companies located in the US will have to get certified under the EU-U.S. Data Privacy Framework. Companies in the EU will have to check their partners and service providers for a valid certification themselves. In addition, it's important to mention that there are also some requirements on who can get certifified so dont take this new agreement as a complimentary ticket to choose US service providers without double checking.
Even though the privacy levels have been increased by the new Data Privacy Framework but they are nevertheless not at the same level as GDPR.
The points of criticism are similar to those already leveled at Privacy Shield. In particular, there is no fair procedure before the newly established Data Protection Review Court, as the decision has already been made and the data subject is not involved. Furthermore, the proceedings are not public without exception. The most serious aspect, however, is that the Privacy Principles cannot guarantee an equivalent level of protection and therefore the requirements of the GDPR are once again unlikely to be met. ///source: anwalt.de
The adequacy decision is applicable EU law as long as it is in force. It will be reviewed by the European Commission one year after it comes into force and for its effectiveness and can be adapted or repealed if necessary.
In addition, adequacy decisions under Art. 45 GDPR can be judicially reviewed by the ECJ and, if necessary, declared invalid. This possibility controllers must be prepared for this possibility.
Our key takeaways are:
-
Always check US companies for their data privacy regulations and specifially for a valid Data Privacy Framework certification.
-
Without the above mentioned certification your company will not pass a GDPR certification as data transfer to the US is not regulated and potentially insecure.
-
Looking for an alternative within the EU can help running into potential issues in future.
-
Staying up-to-date in regards of GDPR is absolutely crucial for your business as you would like to stay compliant and your data to be safe.
