This blog is about the current legal situation (April 2023) with regard to the EU-US Privacy Framework or, in very practical terms, questions such as whether, from a legal from a legal perspective, whether personal data may be transported to the USA, use cloud software from US companies or whether personal data may be data in data centers of US providers.
Short form I
On 13. 12. 2022, the EU Commission published a draft adequacy decision for the USA, according to the content of which the EU Commission again attests the USA an adequate level of data protection in accordance with Article 45 GDPR. The EDPB (European Data Protection Data Protection Committee) will issue an opinion on this adequacy decision, although the approval of the EDPB is not required. is not required. The Member States may issue an opinion in accordance with Article 45 III sentence 4 GDPR; however, no negative votes are expected. votes against are not expected. This is due to the economic importance that the IT provided by the USA for the EU economies is too great. economies is too great. The Commission then publishes the adequacy decision in the EU Official Journal, making the decision binding law. This means authorities, and national courts are bound by the decision of the adequacy adequacy decision. This eliminates the risk of recourse by authorities if data is transferred to the USA or IT systems such as Google Cloud or such as Google Cloud, Microsoft 365 or if personal data is processed in data data centers that, for example, belong to the Microsoft, AWS, etc. groups. etc. groups.
It is now expected again, that there will be peace and quiet for the next 4 to 5 years. Because of course civil rights movements have of course already announced that they also want to to attack this adequacy decision: It will then be another few years before the BGH makes its decision. years will pass before the BGH's decision.
Background
The adequacy decision was issued on documents that the US government under Joe Biden issued with regard to the Shremps II decision of the ECJ. This decision has been analyzed here analyzed at length, it states very briefly that personal data may not be exported to the data may not be exported to the USA and that even within the EU may not use the services of US companies for IT services. Justification: After 9/11, the USA would grant its secret services such far-reaching such far-reaching powers that the USA would not meet the GDPR's requirement for the de facto of an adequate level of data protection. In fact this would have meant the end for all US services. In practice, this was simply which is why the authorities repeatedly threatened that those responsible would have to exclude all US services and would only be allowed to use other services; but relatively little has happened. but relatively little has happened. The children in BaWü had to do without Microsoft 365 without it. The sword of Damocles was always present. In the Schremps II decision, the ECJ expressly pointed out that the authorities had to would have to enforce its decision.
For this reason, the US government has tried to meet the requirements of the Schremps II decision. The legal literature (I will spare you the details) criticizes the fact that two of the three main points of criticism of the ECJ were not substantially changed by the USA. The generally granted possibility of mass surveillance (please remember the keyword "dragnet search") by the secret services and the still existing possibility of the secret services taking disproportionate measures are, in my opinion, rightly criticized. In order to meet the requirements of the ECJ, the powers of the intelligence services in the USA would generally have to be formulated differently and this will not happen. The USA has a different policy to the EU. What has changed in EO 14086, however, is the possibility of legal protection against measures taken by the intelligence services. I will discuss this possibility in the second part.
Part II
