The transfer of personal data plays a significant role in today’s globalised world. International transfer of data is the order of the day and modern technology is making this transfer increasingly more sophisticated. European legislators were, and still are, aware of this, and they have been trying for decades to protect the data of EU citizens by regulating their transfer to third countries.

On 6 July 2000, the European Commission adopted a decision determining that the Safe Harbor Principles provide an adequate level of protection for personal data transferred from the Community to organisations based in the U.S. In practice, the Safe Harbor Principles made it easy to transfer personal data from EU countries to the U.S. to companies that subscribed to the Safe Harbor Principles. For an EU citizen using any service based on the exchange of personal data between the U.S. and the EU, safe handling of his or her personal data has been guaranteed. On 6 October 2015, the Court of Justice of the European Union, in Decision C-362/14, Maximilian Schrems v. Data Protection Commissioner, annulled the Commission’s decision of 26 July 2000 (so-called Schrems I).

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), specifically Article 45 thereof, provides that a transfer of personal data to a third country or an international organisation may take place if the European Commission has determined that the third country ensures an adequate level of protection, meaning that the level of protection in the third country must be substantially equivalent to that in Europe.

Following the abolition of the Safe Harbour and a brief period of limbo, data transfers between the European Union and the United States took place in accordance with Article 45 of the GDPR, in particular based on European Commission Decision 2016/1250 of 12 July 2016, which reflected the EU-US legal framework known as the Privacy Shield. In practice, U.S. companies had their personal data registered on a list established by the U.S. Department of Commerce, and as a result, transfers of personal data from the EU were deemed to have been made in compliance with the required level of protection under the GDPR. However, the Privacy Shield has been repealed following the decision of the Court of Justice of the EU (“CJEU”) in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems (“Schrems II”).

Since the abolition of the Privacy Shield, it has been unclear whether and under what conditions personal data can continue to be transferred from the EU to the U.S. Data transfer was still needed and new means had to be found to make it possible. These include the so-called appropriate safeguards under Article 46 GDPR and the so-called exceptions under Article 49 GDPR, which contains an exhaustive list of them. The appropriate safeguards under Article 46 of the GDPR include various instruments for the transfer of personal data in practice, in particular the so-called standard contractual data protection clauses adopted by the European Commission. They constitute a model contract text (currently used in the 2021 version) between an exporter of personal data (controller or processor), who intends to transfer personal data to a third country that does not have an adequate level of protection, and an importer of personal data in that third country (controller or processor).

Due to the complexity of personal data transfers following the repeal of the Privacy Shield, on 10 July 2023, the European Commission adopted an adequacy decision regarding EU-US data transfers under the EU-US Data Privacy Framework (the “Decision” and the “DPF”), whereby the European Commission found that the level of data protection in the U.S. is currently the same as in the European Union. Therefore, data transfers between Europe and the United States under the DPF (but not for all recipients in the U.S., as explained in the paragraph below) should now take place freely, without the need for additional legal safeguards such as the standard contractual clauses or binding corporate rules that have been used so far, or since the abolition of Privacy Shield.

In order to join the DPF, the U.S. recipient (company/organization) must certify that it adheres to the DPF principles, which means that it must develop a DPF-compliant privacy policy, identify an independent remediation mechanism, and self-certify through a website provided by the U.S. Department of Commerce. A list of certified companies is also provided on this DPF website, so that EU data exporters can easily check whether a U.S. data importer benefits from the protection of the DPF adequacy decision.

According to the European Commission (the “EC”), the DPF represents a substantial improvement in the protection of personal data and addresses the substantive objections raised by the CJEU in the Schrems II decision, which led to the annulment of the Privacy Shield. In particular, the access of the U.S. government to data of EU citizens, where the EC notes that U.S. law already contains many limitations and safeguards regarding the access and use of personal data for law enforcement and national security purposes.

Furthermore, as regards the judicial remedy sought by the CJEU, the EC concludes that the newly established Data Protection Review Court in the U.S. is an independent court, to which all EU citizens will have access. Last but not least, the operation of the DPF will be subject to regular checks performed by the EC together with representatives of the European data protection authorities (in the Czech Republic, the Office for Personal Data Protection) and the relevant U.S. authorities. Article 3 of the Decision requires the EC to continuously monitor compliance with the DPF. Should the EC have any indication that an adequate level of protection is no longer ensured, it will inform the competent U.S. authorities and, if necessary, may decide to suspend, modify or revoke the adequacy decision or to limit its scope.  The first such review is due to take place in July 2024.

Despite the above, the question remains whether this new agreement will hold up and stand up to the CJEU. In fact, activist Maximilian Schrems, after whom the two Schrems decisions were named, said after the decision was made that he would appeal against it. According to him, he expects to file the lawsuit early next year, 2024, while the SDEU may suspend the DPF, and therefore the very transmission of data on its basis, during its review process. The fate of the DPF, and therefore the certainty for easier data transfer between the EU and the U.S., therefore remains unclear.

Author: Veronika Odrobinová, Tomáš Přibyl