In early October 2022, US President Biden signed the Executive Order for the planned US-EU Data Privacy Framework. Dr Jens Eckhardt, specialist attorney for IT law at Derra, Meyer & Partner in Dusseldorf and board member of EuroCloud Deutschland, answers three questions on what this means for future data transfers to the US.
Dr Eckhardt, now that the Trans-Atlantic Data Privacy Framework has replaced the legal failure of the Privacy Shield, what is set to be more effectively regulated?
After the EU and the US had already reached an agreement in principle about six months ago, the US President issued a so-called Executive Order on 7 October to address the ECJ’s critique on the failed EU-US Privacy Shield. Formally, a proportionality clause has been introduced with regard to (mass) surveillance by the US security authorities. Whether the US has the same understanding of proportionality in this respect remains to be seen. A judicial redress mechanism against surveillance measures has also been formally created. However, there has already been criticism voiced that what is formally referred to as a “court” is in fact not an independent court in the sense of the EU’s legal understanding. An Executive Order is also not a law that implements the guidelines, but – to put it simply – an administrative order. To sum it up: Formally, the US is responding to the ECJ’s criticism and thus paving the way for a new simple data transfer from the EU to the US.
What will happen now, from when does the new regulation apply?
The Executive Order alone has no effect on the legal situation in the EU and Germany. This requires a new so-called adequacy decision by the EU Commission in accordance with Article 45 of the GDPR. Once this decision has been made, personal data may again be transferred to the USA in a simplified manner in accordance with this adequacy decision. The Executive Order is resolute for this decision. The ECJ had made it clear that the EU Commission must comprehensively examine the data protection situation in a third country and, without this Executive Order, an adequate level of data protection for the USA could not be established. In view of the procedure for such a decision, a new adequacy decision can be expected from spring 2023.
How will companies in Germany benefit from the agreement?
The EU Commission’s adequacy decision means that a transfer of personal data will be permitted if the relevant requirements are met. This means that the currently required individual examination of whether personal data can be transferred to the USA will no longer be necessary. There is once again a simple and clear legal framework for the transfer of data to the USA. But – and this is certainly also a fact – the next lawsuit against this legal framework before the ECJ will arrive and then we will see whether the ECJ’s previous critique has only been formally redressed or whether it has actually been rectified. In any case, the present upside is: as long as the ECJ has not overturned the new adequacy decision of the EU Commission, data processors can rely on it.
Dr Eckhardt, thank you very much for the interview!