For e-commerce companies in the EU, the world has become a slightly simpler place again, at least as far as data protection is concerned: In July, the European Commission adopted the new adequacy decision in the form of the “EU-U.S. Data Privacy Framework”, thus creating a new legal basis for cooperation between EU companies and U.S. service providers and data processing. The previous Privacy Shield agreement had been declared inadmissible by the ECJ three years ago.
One of the reasons for the court ruling at the time was that U.S. authorities had access to the servers of U.S. companies and thus also to the data of EU companies and their customers. However, EU companies are only allowed to cooperate with providers from third countries and process data on their servers if a level of data protection under data protection law can be guaranteed there that is the same as in the European Union. Since its entry into force in 2018, the General Data Protection Regulation (GDPR) has provided the legal framework. Non-EU states are confirmed compliance with the most important criteria via so-called adequacy decisions and the processing of personal data is thus classified as legally compliant and unobjectionable. Such adequacy decisions exist for a number of countries and can be found on the website of the European Commission.
After the Privacy Shield was declared illegal three years ago, the use of Google Analytics, Microsoft solutions and the like, to name just a few, was strictly speaking illegal. Since then, however, there have been significant improvements on the American side. As the European Commission explains, the new EU-US data protection framework introduces, among other things, “new binding safeguards to address all concerns expressed by the European Court of Justice, including limiting access to EU data by U.S. intelligence agencies to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC).” The latter would be able to order the deletion of data in the event of a breach of the new safeguards. In addition, the new adequacy decision will now be regularly monitored by the EU Commission and by representatives of the data protection authorities. For more details on the new EU-U.S. Data Privacy Frameworks, read the text of the adequacy decision here.
For European companies in general and e-commerce providers such as online printers in particular, the new adequacy decision is therefore good news. As the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) writes, this is intended to allow personal data to flow from the EU to the U.S. again without companies having to take additional measures or use specific transfer instruments. However, there is one restriction here as well: This is because the new data protection framework does not apply across the board to all U.S. companies, but only to those that are certified in accordance with the EU-U.S. Data Privacy Framework.
European companies must therefore continue to check first whether the providers of the services they use are certified under the new data privacy framework. The U.S. authorities have set up a special website for this purpose, albeit in English, which can be used for a targeted search. Good news: The two major IT heavyweights Google and Microsoft are of course already certified.