EU-US data transfer: towards Shrems III?

The European Parliament Resolution on the adequacy of the protection offered by the EU-US data privacy framework addressed a critically important issue affecting all organizations, large and small alike, that transfer data overseas to the U.S.

Following the rulings of the Court of Justice of the European Union (CJEU) on October 6, 2015, in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner (“Schrems I”) and on July 16, 2020, in Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) the framework for personal data transfers has changed profoundly to the point where in the absence of an adequacy decision it is only possible to transfer personal data from the E.U. to the U.S. if adequate safeguards are in place under Art. 46 GDPR.

In this decision, the European Parliament identified several underlying problems, including the surveillance of non-U.S. persons under U.S. law and that European citizens need more adequate remedies to protect their data.

Although the United States has provided a new redress mechanism for issues related to public authorities access to data, the Parliament has projected significant doubts about the effectiveness of these where European businesses need and deserve legal certainty.

Of all of them, the most crucial point that the Parliament Resolution highlighted is that the United States still does not have a federal data protection law. At the same time, there are numerous State Law provisions that, however, vary enormously in terms of the level of protection afforded to individuals. Of them all, the most impactful state legislation and one that certainly deserves mention is the California Consumer Privacy Act of 2018, which grants a body of rights protection, in some respects, comparable to that provided by the GDPR (see https://oag.ca.gov/privacy/ccpa)

After highlighting the heavy criticism of the U.S. data protection framework, it concluded its provision that the EU-U.S. data privacy framework does not create an essential equivalence of the level of protection of individuals involved in processing personal data.

Related Posts