There is much to celebrate today. Besides the Flemish holiday, we can once again share our personal data GDPR-proof with US service providers. The European Commission has adopted an adequacy decision for the EU-US Data Privacy Framework that will again allow easier transfer of data to the US under certain conditions.
Was I not allowed to use US service providers until yesterday?
When the GDPR came into force in 2018, data sharing with the US was allowed under the EU-US Privacy Shield. However, on 16 July 2020, the Privacy Shield was declared invalid by the Court of Justice in the Schrems-II ruling. Transfers of data were then only possible subject to signing Standard Contractual Clauses and carrying out a Data Transfer Impact Assessment in which sufficient security measures had to be in place to enable the transfer, such as end-to-end encryption or proprietary key management.
As many online services are offered by US service providers but few of the services offered comply with these strict measures, many of these transfers were seen as in violation of the GDPR, and sanctions and fines were regularly levied against companies that placed, for example, Google Analytics on their websites.
Can I just transfer data to the US again from today?
With the adoption of the EU-US Data Privacy Framework, the EU has adopted an adequacy decision that allows a transfer under Article 45 GDPR. However, certain conditions must be met. For instance, the US service provider has to be certified to prove compliance with certain privacy and security requirements.
As an EU company, the task has thus become easier and it is enough to check the website dataprivacyframework.gov to see if the service provider is listed as a 'trusted' data partner. If a company has not obtained certification, Standard Contractual Clauses must still be signed and a Data Transfer Impact Assessment must be done.
Is this a definitive solution to the data transfer problem to the US?
Presumably not. Austrian privacy activist Shrems, who has had the previous two exchange systems with the US invalidated with the Schrems-I and Schrems-II judgments, has already indicated that the current framework is mainly a copy of the invalidated Privacy Shield and that he will do what is possible to undermine the Data Privacy Framework as well.
Since US privacy law, and mainly the ability of the US Secret Service to retrieve personal data on a large scale, is not identifiable with the GDPR, there is a good chance that a Schrems-III ruling is coming that will also invalidate this adequacy decision.
Conclusion
Using US service providers on the basis of an adequacy decision is again allowed. However, in each case it must be checked whether the service provider is effectively certified under the Data Privacy Framework and of course the other obligations concerning the GDPR continue to apply, so a processing agreement will still have to be signed with US processors.
In addition, of course, it remains important to pay additional attention to the security measures taken and to pursue data retention at data centres within the EU. Whether the system is sustainable remains to be seen so wait anyway before finally filing your Transfer Impact Assessment documents.
If you have questions regarding the privacy policy within your company or wish to call on our services as DPO, you can always make a no-obligation appointment via the button below or by contacting our GDPR expert Olivier Sustronck at olivier@misterfranklin.be.