Framework agreement on data protection: What you need to know

It's hard to avoid the topic of the Data Privacy Framework Agreement at the moment: the EU Commission's decision is currently being discussed too much. The decision between the USA and the EU should actually ensure that the transfer of data between the countries involved becomes more secure and easier.

Only with an adequacy decision is the transfer of personal data to third countries considered secure. However, there are still doubts about this - especially from a legal perspective. In this article, we will show you exactly what the Data Privacy Framework Agreement is, what it regulates and what criticism it sometimes receives.

Do you need support in implementing data protection in your company? Our team consists of lawyers, data protection officers, auditors, IT security consultants and risk managers who will work for you throughout Germany and in Luxembourg. As specialised management consultants, we provide you with comprehensive support in the areas of data protection, IT law and cyber security. Feel free to contact us at any time for a non-binding initial consultation.

• The Data Privacy Framework Agreement is an adequacy decision that makes it possible to transfer personal data to the USA.
• The decision has been in force between the EEA area and the USA since 10 July 2023.
• This marks the third round of the adequacy decision: After two defeats before the ECJ (European Court of Justice), this is a new attempt by the EU Commission to make data transfers possible.
• Complaints have been lodged. The French MEP Philipp Latombe, for example, has announced in a press release that he has filed a complaint with the ECJ.
• Whether the decision will hold is questionable.

The EU-US Data Privacy Framework Agreement, also known as Privacy Shield 2.0 or Privacy Framework, is an agreement between the European Union and the USA to ensure the secure exchange of data.

The decision came into force on 10 July 2023 by the EU Commission and is intended to ensure that the transfer of personal data from EU member states to the United States is now possible in compliance with data protection regulations (in accordance with the EU-wide GDPR).

This is particularly important for internationally operating companies and service providers, as such an adequacy decision, which the agreement represents, eliminates the need for additional data protection guarantees. The new regulation also affects large service providers such as Google Analytics, which operate with companies (B2B) through various offerings.

When the GDPR came into force, it became necessary for members of the European Economic Area (EEA) to only be allowed to transfer personal data to a third country if it guarantees an adequate level of data protection, which is equivalent to that of the GDPR (Art. 45 GDPR).

The easiest way to prove such a level of data protection is for the EU Commission to have issued an adequacy decision with the third country in question, which confirms the level of data protection in the country in question. Otherwise, other measures must be taken by the transferring company or a competent authority or a separate authorization must be obtained.

In some cases, guarantees may exist for which no special authorization by a supervisory authority is required (Art. 46 para. 2, 3 GDPR).

Good to know: The EEA includes the 27 members of the EU, as well as Iceland, Liechtenstein and Norway. Third countries that are already listed as safe countries by adequacy decision include: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, South Korea, Uruguay and the United Kingdom (UK).

After the first Privacy Shield agreements with the USA in 2015 and 2020 were declared inadmissible by the ECJ, such a decision was no longer valid between the EU and the USA.

The short answer is: yes. After the ECJ declared the first two agreements inadmissible, the USA was once again considered an unsafe country without an adequate level of data protection. However, since 10 July of this year, it has been clear that data transfer to the USA can now be classified as secure again, provided the companies are certified.

At the moment, this is the current legal situation, which companies can now rely on again. The Commission has decided that the USA offers an adequate level of protection and that EU companies can therefore transfer personal data to companies in the United States without further authorization. However, the Privacy Shield 2.0 has been widely criticized and it remains to be seen whether the ECJ will overturn the decision. Until then, however, data transfer is possible.

Please note: This only applies to companies that participate in the EU-US data protection framework. It is therefore necessary to check whether the US company receiving the data has also been certified by the data protection authority and is therefore a secure partner. A separate Data Privacy Framework List has been set up for this purpose on the website of the U.S. Department of Commerce.

Unlike the adequacy decision with the United Kingdom (which is scheduled to expire in 2025), there is no "expiry date" for the Data Privacy Framework Agreement. The agreement therefore applies indefinitely.

However, the decision is repeatedly criticised. It is not only the authorities that have repeatedly criticised it; the two predecessors of the data protection agreement were already overturned twice by the ECJ, in 2015 and 2020.

This was due to the Schrems I and Schrems II lawsuits, which are named after the plaintiff Max Schrems. He has now announced that he will once again file a lawsuit. He is confident that he will also be successful this time and bring down the agreement.

Companies are therefore advised to rely on intra-European solutions and business relationships where possible. This is because these are always in line with GDPR standards and will not be affected by a potential lawsuit.

1. Is data being exported to the USA? Firstly, it must be determined whether personal data is being transferred to the USA at all. In addition, it is also necessary to check whether this data is only transferred to certified companies and is included in the corresponding data categories (HR/non-HR), as only these are covered by the new agreement.

2. Regularly review certification: Certification of US companies must be renewed on a regular basis. Data exporters should therefore check whether the company has the certification again and is therefore still eligible as a recipient of personal data.

3. Adapt privacy policy: Even if the USA is now considered a "safe recipient country", data subjects must be informed about the export of their data in the privacy policy. Reference must also be made to the specific country and the applicable adequacy decision (Art. 13, 14 GDPR).

If a US company is not on the list of the U.S. Department of Commerce, the data transfer must be checked against the legal requirements that apply to third countries without an adequacy decision.

According to Art. 46 GDPR, a data transfer may be permitted if suitable guarantees for the protection of the data are provided by the recipient (e.g. standard contractual clauses). Exceptions according to Art. 49 para. 1 GDPR must be taken into account.

Before the data transfer, the requirements for lawful data processing under the GDPR must also be met. For example, it must be possible to demonstrate compliance with the principles set out in Art. 5 GDPR. In addition, the requirements of a legal basis for the specific processing in accordance with Art. 6 or Art. 9 GDPR must be met.

After the Schrems I and Schrems II lawsuits failed twice to reach an adequacy decision between the EU and the USA, the EU Commission is now trying again.

Although the new decision initially offers legal certainty, it is questionable whether this will last. Many critics, but also authorities, assume that this agreement will also fall victim to the ECJ and Max Schrems. The European Court of Justice needs around two years to reach a decision. Until then, data transfer to the USA is at least possible.

Nevertheless, companies should be aware that there is a possibility that the decision will be overturned again, and they should either be prepared for this possibility or, preferably, rely directly on European partners to avoid data transfer to third countries altogether.

We would be happy to advise you on the options in the area of data protection and IT security. Our team will be happy to provide comprehensive support in these areas and advise you with legal and technical expertise. Arrange a non-binding initial consultation with our experts now.