On 10 July 2023, the European Commission adopted a new adequacy decision concerning personal date transfers to the United States.
This decision brings to an end a judicial epic that began in 2016 with the first Schrems ruling and which resulted in the invalidation of all data transfer tools when transferring personal data to the United States (and other countries with equivalent legislation) without the addition of any specific additional measures, which in practice were essentially limited to the encryption of all data that should not be accessible to anyone in the United States.
As a result, data transfers were virtually all prohibited, and several rulings, notably against Facebook and the use of Google analytics, confirmed this position by the data protection authorities.
Background and context
Since the Schrems 2 judgment, it was no longer possible to transfer data to the United States or even to countries presenting similar risks, particularly where similar national security legislation applied, without providing additional guarantees.
The problem raised by the EUCJ was that US homeland security legislation did not provide any guarantees that foreigners’ personal data would be protected. Indeed, the US legislation allowed the US authorities disproportionate and even unrestricted access to all the data of foreign nationals transferred to the United States.
As a result, and by virtue of this decision, if a data controller wished to transfer data to the United States, it had to put in place not only the usual tools (BCR, standard contractual clauses, etc.) but also additional measures to ensure that the authorities would not have disproportionate access to this data.
In practice, the solution officially accepted by the authorities in the case of transfers to the United States was data encryption, provided that the encryption key remained in the EU and was not transferred to the United States.
This severely limited the possibility of transferring data, as the recipient often needs to use and therefore see the content of the data. In this way, it has sanctioned the use of Google Analytics or the data transfers set up by Facebook.
It is important to remember that this requirement still applies to any country presenting risks within the meaning of the Schrems 2 ruling, particularly where the legislation allows unlimited or disproportionate access to data by government authorities.
On the basis of this judgement, it is therefore also necessary to carry out an assessment of the potential risks and therefore of the country’s legislation before sending the data, and to consider appropriate measures according to the risks identified for each country concerned.
Insofar as the Commission was twice wrong about a country such as the United States, this analysis is all the more difficult for third countries with more obscure legislation. However, it was possible to deduce without too much difficulty that transfers to countries considered to have authoritarian tendencies (Russia, China, etc.) always require additional measures.
The European Commission’s adequacy decision and its practical consequences
Following lengthy negotiations with the European Commission, the United States amended its legislation to provide additional guarantees for European citizens.
These changes were considered sufficient by the Commission, which published an adequacy decision allowing transfers to the United States.
Unlike the usual adequacy decision, which allows data to be transferred without recourse to a transfer mechanism, this decision only ratifies the existence of the additional guarantees required by the ECJ.
As a result, American companies must now adhere to a Data Privacy Framework, as was the case with the Privacy Shield. Otherwise, they will have to use one of the other usual mechanisms for receiving data from the EU.
In practice, before setting up a data transfer to the United States, it is therefore necessary to check whether the company has signed up to the Data Privacy Framework.
If the company has not signed up to the Data Privacy Framework, it is necessary to sign the standard contractual clauses or use BCRs as a framework for the transfer if the company has implemented them or for intra-group transfers.
Validity of the solution
Critics have pointed out that the amendment to US legislation was not sufficient to ensure an adequate level of protection, particularly as the authority responsible for handling any appeals from data subjects, etc. would not be considered a jurisdiction from a legal point of view.
We can therefore expect a new Schrems 3 saga, but for the time being, transfers are authorised, including for Google Analytics, as Google LLC has signed up to the data privacy framework.
Should you have any question, do not hesitate to contact Arnaud BLANC, French & English qualified lawyer
This post is also available in fr_FR.