Data transfer with USA simplified
We have already written to you several times on the subject of “data transfer to third countries” (such as to USA). There is now another chapter in this never-ending story:
It went faster than expected and it is (again) getting a little easier to work with companies in the US: The EU Commission has recognised the “EU-U.S. Transatlantic Data Privacy Framework”.
What does that mean?
If the data importer in the US submits to the rules of this framework and also officially document this, this is considered a sufficient legal basis for the third country transfer. Then you can do without additional measures such as EU Standard Contractual Clauses (SCC) and Transfer Impact Assessment (TIA).
Who does it affect?
You can find out which US entities are subject to this framework on the dataprivacyframework.gov page. This includes Microsoft, for example, so the use of Microsoft 365 is now significantly simplified from a legal perspective.
If a company is not named there, however, everything remains the same (SCC and TIA are then still required). This also applies to data recipients in other third countries than the US.
By the way: An overview of which legal bases apply when can be found in our current Practical Guide to Third-Country Transfers (available for customers in the web customer area or on request).
Caution when looking to the future
It won’t be long before this new adequacy decision is reviewed by courts. And it could well happen that it is then declared invalid just like its two predecessor agreements (Safe Harbor and Privacy Shield). And there is a likelihood that it could then be declared invalid just like its two predecessor agreements. You could make provisions for this case now and continue to work (additionally) with SCC and TIA.
What to do now
Existing contracts do not necessarily have to be adapted. When concluding future contracts, your contractual partner will probably automatically take the new option into account.
When the new framework comes into use, please consider the following:
- The framework must be mentioned in the Privacy Notices for data subjects (as the legal basis for the data transfer to the third country).
- The correct legal basis for the third country transfer (adequacy decision) must also be documented in the records of processing activities (foxondo).
The new Transatlantic Data Privacy Framework can facilitate data transfers with entities in the US. Then data subjects must be informed of this in the Privacy Notice and the data protection documentation must be updated.