Europe – US: Legal Certainty for Data Flows?

Author

Ivica Kuzmic

Published

5 December 2023

Reading time

minutes

On 10 July 2023, the European Commission adopted the agreement in principle on a transatlantic data protection framework reached between the EU and the US in March. This framework agreement became necessary after the European Court of Justice (ECJ) invalidated the previous one. In particular, the judges criticized the extensive access of the US intelligence services to personal data transferred to companies in the US.

The new agreement stipulates that the intelligence services may only access the data if it is necessary and proportionate to protect national security. A new court will ensure data protection and civil liberties standards in the event of complaints from Europeans. These protections also apply to data transfer instruments such as standard contractual clauses and internal company rules. US companies can participate in this data protection framework through a certification process if they comply with data protection obligations, including deletion of unnecessary data and data transfer safeguards.

The Practice

Data transfers from the EU or EEA, including from Liechtenstein to the US, will become much easier in the future. Companies will no longer have to use standard contractual clauses to legally transfer data to the US, provided that the US company agrees to comply with detailed data protection rules. Companies will now be able to demonstrate compliance through a certification process.

Hanging Game Continues

The same organization that won the ECJ ruling has indicated that it will also challenge the new privacy agreement in court. In its view, even the EU Commission's third attempt does not constitute a stable data transfer agreement because “fundamental” surveillance issues have not been sufficiently addressed. A French MEP has already filed a lawsuit on other grounds. The long-awaited legal certainty in data transfers with the US could therefore be short-lived.

The Situation in Switzerland

In the case of data exchange between Switzerland and the US, the situation is similar to that between the EU and the US. Following the ECJ ruling, the Federal Data Protection and Information Commissioner (FDPIC) removed the US from the list of countries with an adequate level of data protection. Switzerland is currently negotiating its own data protection framework with the US, known as the Swiss-US Data Privacy Framework. Since the entry into force of the new Federal Data Protection Act on 1 September 2023, it has been the responsibility of the Federal Council to assess a country’s adequacy under the Data Protection Act. Despite the agreement between the EU and the US and the possibility of confirmation of an adequate level of protection for certified US companies, the Swiss list of countries with an adequate level of protection will not change until the new framework is available. Personal data may therefore continue to be transferred to the US only with additional safeguards, such as the standard contractual clauses.

 

Ivica Kuzmic
Liechtenstein Bankers Association

Find Out More