The European Data Protection Board published its (non-binding) statement on the draft of the future EU-US privacy framework agreement on February 28, 2023 (available here). Since the ECJ decision of July 16, 2020 (Schrems II), data transfers from the EU to the US have no longer had a legal basis in the EU-US Privacy Shield. We reported on this far-reaching decision here.
Since the ECJ decision, the legal framework for transfers of personal data of any kind from the EU to the USA has become considerably less clear and uncertain. Internationally active companies in particular have been forced to use alternative transfer mechanisms in order to maintain their international business operations.
Immediately after the decision that the EU-US Privacy Shield was invalid, efforts also began to establish a successor agreement. Of course, the points of criticism of the Privacy Shield had to be eliminated first. The judges in Luxembourg based their decision primarily on the fact that the transferred personal data in the U.S. is at the mercy of government agencies (US intelligence services) and that there are no effective legal avenues of appeal against such access.
It has now been achieved that access by the US intelligence services may only take place in accordance with the principles of necessity and proportionality. In the same context, an appeal procedure for EU citizens has been in place since October 7, 2022, which provides for a special appeal to a Data Protection Review Court.
The recently published statement of the European Data Protection Board (EDPS) shows clear improvements in the data protection situation in the US. Even though the statement is not binding for any of the involved parties, there are promising starting points and the clear, associated hope of having a legally secure framework for EU-US data transfers available again in the near future. At the same time, the statement shows where the Committee believes there is still room for improvement. We are convinced that the EU Commission will reach an adequacy decision pursuant to Article 45 GDPR in the medium term at the latest. It remains to be hoped that the future agreement will withstand judicial review.