The conditions are now in place for a fresh decision to be taken on data transfers between the EU and the U.S. President Biden has signed an executive order to strengthen the protection of personal data in the U.S. This paves the way for businesses to once again be able to smoothly transfer personal data across the Atlantic. Hopefully, interaction and business activity with the U.S. will be simplified in the spring.
Many businesses work hard to be able to transfer personal data from the EU to the U.S. For all types of personal data, businesses must make assessments about whether and how they can transfer data. Reasonable protective measures are not always available. Extensive requirements for technical safeguards, such as end-to-end encryption, are costly, time-consuming and sometimes make data transfer pointless.
In the past, adequacy decisions have meant that the EU approved the U.S. as a recipient country of personal data. The most recent decision, known as Privacy Shield, was invalidated in July 2020 in the Schrems II judgment of the European Court of Justice. The verdict has had major consequences. Businesses have had to invest considerable resources to ensure the protection of personal data in accordance with the court decision, guidance from the European Data Protection Board (EDPB) and comply with requirements set in so-called transfer mechanisms such as Standard Contractual Clauses and Binding Corporate Rules. The public sector in Sweden has also been affected, particularly through Swedish public authority’s interpretation prohibiting the use of American IT providers and cloud services.
For a new adequacy decision to take effect, the U.S. must adopt regulations that allow only proportionate government surveillance and give individuals the opportunity to seek legal review of how their personal data is processed. This has now been confirmed by President Biden according to information from the White House.
The European Commission will now draft a new decision on the transfer of personal data to the U.S. in the coming months. After the EDPB delivers its opinion, Member States must approve the proposal before the European Commission can formally adopt the adequacy decision. By spring, businesses can hopefully breathe a sigh of relief when the transfer of personal data is facilitated through the EU-U.S. Data Privacy Framework, (EU-U.S. DPF). Once this decision has been taken, companies can rely on personal data in the U.S. being protected in the same way as in the EU. Then the ordinary risk-based approach and measures stipulated in GDPR apply.EUData flows