In July 2023, the EU-US Data Privacy Framework came into force. The European Commission has certified that the successor to the failed EU-US Privacy Shield provides an adequate level of protection for data transfers from the EU to the USA. But are the adequacy decisions actually a reliable basis for the transfer of personal data from the European Union to the United States? What specifically has changed with regard to the protection of EU citizens' data?
GDPR & the EU-U.S. Data Privacy Framework
Statement by Niko Fostiropoulos, CEO and founder of alfaview
The adequacy decisions for the transfer of data between the EU and the USA are largely a copy of earlier regulations such as the failed Privacy Shield:
- The USA's anti-terror legislation, which allows US authorities to access the data of EU citizens, remains untouched. No substantial changes were made to US law. This means that mass surveillance and the possibility for authorities to access EU citizens' data will remain largely unchanged.
- FISA 702 provides for the collection and storage of personal data of non-US citizens. EU citizens cannot take legal action against the storage of their data in the USA and cannot obtain information about what data is stored about them.
- The legitimization of data transfers to the USA represents a major risk for European companies, authorities, institutions and individuals: With the transfer of data, there is also a potential transfer of knowledge when using US systems. Trade secrets and European know-how are transferred to the United States under the adequacy decisions which, in turn, are subject to anti-terrorism legislation with extensive access options for US authorities.
alfaview does not rely on the adequacy decisions because the Trans-Atlantic Data Privacy Framework does not provide a sufficient legal basis for a data transfer to the US under European data protection law.
Will Schrems III be coming soon?
Detailed information on the EU-U.S. Data Privacy Framework can be found on the website of noyb, the organization for law and data protection by Max Schrems, in the article “European Commission gives EU-US data transfers 3rd round at ECJ”.