Data protection and transfer of personal data from the EEA to the USA is a heavily discussed topic, especially in the business world. Probably there is not a single company in the EEA not processing personal data of its employees, customers, or vendors and many of these companies are considering transferring personal data also outside of the EEA, for example to their subsidiaries or vendors, to successfully perform on the market. However, not all the countries outside of the EEA can guarantee a level of protection of personal data equivalent to the level of protection guaranteed and expected in the EEA by the GDPR. Especially in the USA, the historical development of the perception of data protection is completely different in comparison to the development of the same in the European Union. On one hand, privacy of personal data is treated as a human right in the EU, and in the US, they still look at it as a property right, protection of which can be sacrificed for other benefits, such as national security or economic benefits.
Nevertheless, the EU legislation does not forbid every transfer of personal data to a third country. There are different data transfer mechanisms that companies can rely on, from adequacy decisions granted by the EU to the third country in question, to appropriate safeguards and to other data transfer mechanisms as set out in the GDPR. Specifically, between the EU and the USA there were a couple of trans-Atlantic frameworks in place in the last decades. The idea of these frameworks was to reduce bureaucracy and enable companies on both sides of the Atlantic to securely share personal data. However, the above-mentioned frameworks were successfully challenged in front of the CJEU, which invalidated them. This initially led to legal uncertainty as there was no clear instructions provided by the European Courts on how and if the companies may continue to transfer personal data from the EEA to the USA. The uncertainty was mitigated to some extent with the guide published by the European Data Protection Board, however the transfers of personal data form the EEA to a country that cannot guarantee a level of protection of personal data equivalent to the one in the EEA remains complex and very difficult to achieve.
Companies on both sides of Atlantic are craving for a new, updated trans-Atlantic framework which would ease such data transfers, however it is already clear that any such new framework agreement will be thoroughly reviewed and challenged by those who opposed the initial frameworks, unless the USA first changes its legislation in a way that would give protection of personal data in the same way or at least similar recognition and treatment as it has in the EEA.