The GDPR enables a relatively simple transfer of data to companies in third countries (non-EU states) through so-called "adequacy decisions" (Art 45 GDPR). With an adequacy decision, the EU confirms that a third country offers an adequate level of protection for the transfer of personal data. A data transfer does not require any special authorisation.
The EU has already passed two adequacy decisions on the transfer of personal data to the USA in the past. However, the European Court of Justice (ECJ) declared the "Safe Harbor" data protection agreements invalid with the Schrems I decision of 6 October 2015 and "Privacy Shield" with the Schrems II decision of 16 July 2020.
The background to this was the (almost) unrestricted possibility for US authorities and US intelligence services to access this data.
New Adequacy Decision (EU-U.S. Data Privacy Framework)
On 10 July 2023, the European Commission adopted the new adequacy decision pursuant to Article 45 of the GDPR (EU-U.S. Data Privacy Framework). Available under: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_de.
However, it should be noted that the adequacy decision only applies to those companies that appear in the so-called "DATA Privacy Framework List". The list can be viewed at the following link (https://www.dataprivacyframework.gov/s/participant-search) and a specific search can be made for a company.
These companies undertake to comply with detailed data protection regulations. For example, they must delete personal data if the purpose for collecting the data has ceased to exist. In addition, the access of the US intelligence services is to be limited to a necessary and proportionate extent.
An independent data protection review court is to offer EU citizens effective legal protection against data transfers that do not comply with the GDPR.
In addition, independent dispute resolution mechanisms (free of charge) and an arbitration board are provided for, which can also be called upon by EU citizens.
The new adequacy decision (EU-U.S. Data Privacy Framework) simplifies the transfer of data to companies in the USA (but only if they appear on the DATA Privacy Framework List) and now offers European companies that transfer data to American servers the much-needed legal certainty (at least for the present). This no longer existed after the decision of the Austrian data protection authority on Google Analytics (GZ D155.027, 2021-0.586.257, see our article: https://www.unger-rechtsanwaelte.at/en/news/detail/dpa-decision-on-d155027-2021-0586257), which has still not become legally binding.
Due to the new adequacy decision there is now - as long as the ECJ does not declare it invalid – security for companies of a GDPR-compliant data transfer of personal data to companies in the USA.