After years of uncertainty, the Trans-Atlantic Data Privacy Framework (TADPF) creates a new legal basis for data processing in the USA. Therefore, on July 10, 2023, the European Commission issued an adequacy decision on US data processing, which certifies a sufficient level of data protection under the GDPR.
In this article, we will take a look at how the legal situation has changed in concrete terms, what advantages this brings for website visitors, and what website operators must be aware of. Because in addition to criticism regarding the Trans-Atlantic Data Privacy Framework, there is a tricky hurdle for website operators to securely re-integrate US services. We also explain how you can easily overcome this hurdle with Real Cookie Banner for WordPress!
What was the problem with US data processing?
The General Data Protection Regulation (GDPR) sets a very high level of protection for the processing of personal data and grants extensive rights to data subjects, such as rights of access, rights of withdrawal and the right of deletion. The main problem with data processing in the US was the difference in data protection standards between the EU and the US. In particular, the powers of US authorities to access personal data of non-US citizens without sufficient legal recourse (simply said: to be able to take action against it) have led to the possibility of unwanted surveillance and access by government authorities in the US. This has been one of the problems for the EU to consider the level of data protection in the US as sufficient.
The European Commission, an EU body, had previously certified an adequate level of data protection for the USA. However, in 2020, the European Court of Justice (ECJ) declared the so-called adequacy decision between the EU and the U.S., the “EU-US Privacy Shield,” invalid in its “Schrems II” judgment (as well as the “Safe Harbor” agreement before). In short, the ECJ, in contrast to the European Commission, did not see sufficient protection of personal data of EU citizens in the US.
Since this ruling, it has become significantly more complicated for website operators as data protection controllers to comply with data protection requirements for data processing in the USA. Not only are data processing agreements required, but also standard contractual clauses and other measures to enable data processing in the USA in any case.
If the standard contractual clauses did not work (or website operators wanted be on the saver side), data processing often had to be based on Art. 49 GDPR. This article describes the conditions for the transfer of personal data to third countries outside the EU or EEA if there is no adequacy decision for that country. However, specific consent for data processing on your website under Article 49 GDPR is only an exception that can be used in certain circumstances. Practically, you had a long text about US data processing in your cookie banner:
Some services process personal data in the USA. By consenting to the use of these services, you also consent to the processing of your data in the USA in accordance with Art. 49 (1) lit. a GDPR. The USA is considered by the ECJ to be a country with an insufficient level of data protection according to EU standards. In particular, there is a risk that your data will be processed by US authorities for control and monitoring purposes, perhaps without the possibility of a legal recourse.
For website operators, it is practically impossible to avoid using services from US corporations such as Google, Facebook, Microsoft and Co. without significantly restricting themselves. However, truly secure data processing had many pitfalls, as the court decision against the use of Google Fonts (German) or the office action against Google Analytics in Austria (German) made clear. Running a website in a legally secure manner was therefore no longer child’s play!
Trans-Atlantic Data Privacy Framework creates new legal basis for US data processing
On July 10, 2023, the time finally came: European Commission President Ursula von der Leyen announced via Twitter that the adequacy decision for the Trans-Atlantic Data Privacy Framework had been passed. A long name for an agreement – neither a law nor an administrative order – between the EU Commission and the US Department of Commerce. In this agreement, the USA agreed to improve its level of data protection, while the EU Commission, in return, issues an adequacy decision for the transfer and processing of data in the USA.
A key aspect of the new adequacy decision is the creation of a stronger legal framework for data flows between the EU and the US. The agreement builds on the existing EU-US Privacy Shield Framework, which was declared illegal by the European Court of Justice in 2020 due to concerns about US surveillance practices. Even though the new adequacy decision provides for stronger security measures and improved transparency, there continues to be much criticism about whether these measures are sufficient to ensure adequate privacy protections. In particular, noyb, the organization of Austrian lawyer Max Schrems, who already brought the two previous adequacy decisions before the ECJ, is voicing harsh criticism. Moreover, noyb is already planning legal action against the adequacy decision.
Nevertheless, this adequacy decision is likely to bring some years of calm to the discussion about data processing in the US for the time being. Organizations like Noyb will need time to take legal action and to have the new adequacy decision reviewed again by the ECJ. So as a website operator, you have some peace to take a breath!
The exact assessment of the new adequacy decision by the ECJ could have an impact on the future of data traffic between the EU and the US. Despite the valid criticisms, the adequacy decision allows for easier data traffic to the US, thereby boosting economic cooperation. You as a website operator can benefit greatly from the simplification of data transfer processes, as you now no longer have to rely on alternative legal mechanisms such as standard contractual clauses or binding internal data protection regulations. This reduces effort and reduces administrative complexities, leading to more efficient collaboration. At least in theory, as we will see in the following.
What will website operators have to pay attention to in the future when processing data in the USA?
In the future, you will still have to conclude a data processing agreement with the company that processes your data. This applies just as it does to companies from other safe or unsafe countries as defined by the GDPR. But the long text about US data processing in your cookie banner can be omitted.
However, there is a tricky part for you as a website operator: The European Commission’s adequacy decision for the US, based on the Trans-Atlantic Data Privacy Framework, does not generally consider data processing in the US to be secure. Instead, US companies now have the option to self-commit and self-certify in accordance with the Trans-Atlantic Data Privacy Framework and the European data protection principles. You can find a list of all certified US companies on dataprivacyframework.gov, provided by the US Department of Commerce, since July 17, 2023. In the future, only data processing in the US by certified companies will be considered secure. All other US data processing will remain insecure unless providers take other appropriate protective measures, such as the known standard contractual clauses.
Most US companies whose services are also used in the EU and which were already certified under the Privacy Shield are already self-certified again. In practical terms, this means that you will no longer have to or should no longer obtain consent in accordance with Art. 49 GDPR in your cookie banner for most US services. The long text module for US data processing in your cookie banner can then be omitted (if no data processing takes place in other insecure third countries).
We have already added the ability to specify in which countries data processing takes place and which are considered secure with Real Cookie Banner 3.8.0. After passing the adequacy decision on July 10, 2023, in Real Cookie Banner 3.9.0 we have given you the option to define that a service is certified for secure US data processing under the new TADPF. In addition, you can now alternatively legitimize data processing with standard contractual clauses.
Go to Cookies > Services (Cookies) in your WordPress backend and edit an existing service or create a new one. If the United States is specified in the “Data processing in countries” field, the new section “Special treatment for unsafe countries” is displayed immediately below it.
In order to be able to check the checkbox “Provider is self-certified in accordance with the Trans-Atlantic Data Privacy Framework for secure data processing in the USA”, you must check on the website dataprivacyframework.gov whether the provider of the service you are using has self-certified in accordance with the TADPF.
Alternatively, to check the “I have concluded standard contractual clauses with the provider” checkbox, you must have a contract with the provider whose service you have embedded in your website. Check this contract to see if you can find the so-called standard contractual clauses in it. This is a contract component specified by the EU, which assures you that the data processing is performed securely in the sense of the GDPR, no matter where in the world it is done.
If you can set one of the two checkboxes, consent according to Art. 49 GDPR will no longer be obtained for the US data processing in your cookie banner, as you no longer need it.
We will soon include the corresponding typical information in all service templates in Real Cookie Banner as well.
Conclusion: US services usable again, but with additional effort for website operators
In summary, the EU’s new adequacy decision for the US represents an important step in strengthening data protection and transatlantic data flows. The increased data protection standards and improved legal framework should ensure that the personal data of EU citizens is adequately protected. However, justified criticisms remain, and it remains to be seen how the ECJ will react to a lawsuit filed by Max Schrems.
As a website operator, you will have to provide further information in the consent dialog (cookie banner), as the adequacy decision does not consider the entire USA to be secure, but only data processing by certified companies. But this means, that you can integrate the vast majority of relevant US services on your website in a legally compliant way again.
If the relevant US services you use have certified themselves according to the Trans-Atlantic Data Privacy Framework, a large text block in cookie banners can be omitted. This will increase transparency on your website and make it easier for website visitors to decide which data processing they want to consent to and which they do not.