What is the problem?

There has long been criticism that the level of data protection in the USA does not correspond to that of the EU. The original adequacy decision between the EU and the US to determine adequacy ("Safe Harbor") was declared invalid by the European Court of Justice in 2015. The subsequent "Privacy Shield" agreement was overturned by the European Court of Justice in 2020. 

The US law "FISA 702" is seen as particularly problematic. It allows US intelligence services access to personal data. According to the ECJ, the overturned agreements did not provide sufficient protection to ensure that data of EU citizens could not have been processed in this way. The Austrian organisation "NOYB" (none of your business) led by Max Schrems took legal action against both agreements, which is why the rulings became known as "Schrems I" and "Schrems II".

Following the Schrems II judgement, the level of data protection in the USA was deemed inadequate. This meant that the transfer of data to the USA and therefore the use of service providers based in the USA was associated with major uncertainties. This also affected the services of companies such as Microsoft, Google, Zoom & Co. that are widely used in the EU. 

The Trans-Atlantic Data Privacy Framework

On 10 July 2023, the European Commission adopted a new adequacy decision for the EU-U.S. Data Privacy Framework (successor to the "Privacy Shield"). The new agreement is called the "Trans-Atlantic Data Privacy Framework" (TADPF) and can now serve as the basis for data transfers to certified organisations in the USA.

Source: https://www.bfdi.bund.de/SharedDocs/Kurzmeldungen/DE/2023/17_Angemessenheitsbeschluss-EU-US-DPF.html

What does that mean? 

The EU Commission has established in the TADPF that an adequate level of data protection also exists for US companies that undergo a certain (self-)certification procedure.

https://www.privacyshield.gov/welcome

Are we safe now? 

No. Although the sole self-certification of US companies makes it easier to use the services from a data protection perspective, it does not exempt European companies from the general obligations under data protection law. Furthermore, the corresponding processing operations must be documented and, if necessary, special data protection measures must be implemented.  

What now? 

From a data protection perspective, the risk of using services based in the USA has initially been reduced by the new agreement. However, there are already new concerns that the new adequacy decision will not stand up to legal scrutiny either. Data protection advocates still consider the measures to be inadequate and the NOYB organisation is already working on a lawsuit against the new agreement (https://noyb.eu/de/european-commission-gives-eu-us-data-transfers-third-round-cjeu).

It is quite possible that the TADPF will also be declared invalid again by the European Court of Justice in the next 3-5 years.