The European Commission has adopted a new adequacy decision for the EU-U.S. Data Privacy Framework, ensuring that the United States provides an adequate level of protection for personal data transferred from the EU to U.S. companies under the new framework. The decision allows for safe and secure data flows from the EU to participating U.S. companies without the need for additional data protection measures.
The EU-U.S. Data Privacy Framework introduces new binding safeguards to address concerns raised by the European Court of Justice. These safeguards include limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC) accessible to EU individuals. Compared to the previous Privacy Shield mechanism, the new framework brings significant improvements. For instance, if the DPRC finds that data was collected in violation of the safeguards, it has the authority to order the deletion of the data. These safeguards related to government access to data complement the obligations that U.S. companies importing data from the EU will need to comply with.
Ursula von der Leyen, President of the European Commission, emphasized that the new EU-U.S. Data Privacy Framework will ensure safe data flows, provide legal certainty to companies on both sides of the Atlantic, deepen economic ties, and reaffirm shared values. The framework represents a significant step in addressing complex issues through collaboration.
Under the new framework, U.S. companies can join by committing to comply with a detailed set of privacy obligations, such as deleting personal data when it is no longer necessary and ensuring continuity of protection when data is shared with third parties.
EU individuals will have access to redress mechanisms in case their data is mishandled by U.S. companies. These mechanisms include independent dispute resolution mechanisms and an arbitration panel, available free of charge.
The U.S. legal framework includes safeguards concerning access to data by U.S. public authorities for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU individuals will also have access to an independent and impartial redress mechanism regarding the collection and use of their data by U.S. intelligence agencies, including the newly created DPRC. The DPRC will investigate and resolve complaints independently and may adopt binding remedial measures.
The safeguards provided by the U.S. will also facilitate transatlantic data flows more generally, including those transferred using other tools such as standard contractual clauses and binding corporate rules.
The EU-U.S. Data Privacy Framework will undergo periodic reviews by the European Commission, European data protection authorities, and competent U.S. authorities. The first review will take place within a year of the adequacy decision’s entry into force to verify the full implementation and effective functioning of all relevant elements in the U.S. legal framework.
Background: The General Data Protection Regulation (GDPR) grants the European Commission the power to decide, through implementing acts, that a non-EU country ensures an adequate level of data protection. Adequacy decisions allow for the free flow of personal data from the EU to a third country without additional obstacles.
Following the invalidation of the previous adequacy decision on the EU-U.S. Privacy Shield by the European Court of Justice, the European Commission and the U.S. government engaged in discussions to develop a new framework addressing the concerns raised by the Court.
In March 2022, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new transatlantic data flows framework. The agreement was followed by an Executive Order signed by President Biden and regulations issued by U.S. Attorney General Garland, implementing the U.S. commitments into law and complementing the obligations for U.S. companies under the EU-U.S. Data Privacy Framework.
The Framework is administered and monitored by the U.S. Department of Commerce, while U.S. companies’ compliance will be enforced by the U.S. Federal Trade Commission.
https://ec.europa.eu/commission/presscorner/detail/en/IP_23_3721