The European Commission has adopted its adequacy decision for the EU-US data protection framework. It states that the United States will ensure an adequate level of protection - comparable to that of the European Union - for personal data transferred from the EU to U.S. companies within the new framework. After the Court of Justice of the European Union invalidated the previous adequacy decision on the EU-U.S. Privacy Shield, the European Commission and the U.S. government began discussions on a new framework that addressed the concerns raised by the Court.
Commission President Ursula von der Leyen said: "The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the U.S. has made unprecedented commitments to create the new framework. Today, we take an important step forward in giving citizens confidence in the security of their data and deepening our economic relationship between the EU and the U.S., while strengthening our shared values. The framework shows that by working together, we can tackle the most complex issues."
New binding guarantees
The EU-U.S. data protection framework introduces new binding safeguards to address all concerns raised by the European Court of Justice, including limiting U.S. intelligence agencies' access to EU data to a necessary and proportionate level and creating a Data Protection Review Court (DPRC) to which individuals in the EU have access.
The new framework brings significant improvements over the mechanism in place under the Privacy Shield. For example, if the data protection review court finds that the new safeguards were violated during data collection, it can order the data deleted. The new safeguards in the area of government access to data will complement the obligations that U.S. companies importing data from the EU must comply with.
U.S. companies can join the EU-U.S. data protection framework by committing to detailed data protection obligations, including, for example, obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continued protection when personal data is disclosed to third parties.
EU citizens will have several remedies open to them if their data is not handled properly by U.S. companies. These include free independent dispute resolution mechanisms and an arbitration board.
Access to data by US authorities is restricted
In addition, the U.S. regulatory framework provides certain safeguards with respect to access by U.S. authorities to data transferred within the framework, particularly for access to data for law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
Individuals in the EU will have recourse to an independent and impartial redress process in connection with the collection and use of their data by U.S. intelligence agencies, including referral to a newly created data protection review tribunal. This tribunal will independently investigate and resolve any complaints, including by ordering binding remedies.
The safeguards introduced by the United States will also facilitate transatlantic data flows in general, as they also apply to transfers of data using other instruments such as standard contractual clauses and binding corporate rules.
Next steps
The functioning of the EU-U.S. data protection framework is to be reviewed jointly on a regular basis by the European Commission and representatives of the European data protection authorities and the competent U.S. authorities.
The first review is to be conducted within one year of the effective date of the adequacy decision to determine whether all relevant elements have been fully implemented in the U.S. regulatory framework and are operating effectively in practice.
Background
Pursuant to Article 45(3) of the General Data Protection Regulation (GDPR), the Commission may decide, by means of an implementing act, that a third country provides an "adequate level of protection", i.e., a level of protection of personal data equivalent in substance to that provided in the EU. The effect of adequacy decisions is that personal data may be transferred from the EU (as well as from Norway, Liechtenstein and Iceland) to a third country without the need for further safeguards.
After the Court of Justice of the European Union invalidated the previous adequacy decision on the EU-U.S. Privacy Shield, the European Commission and the U.S. government began discussions on a new framework that addressed the concerns raised by the Court.
In March 2022, President von der Leyen and President Biden announced that they had reached agreement in principle on a new transatlantic framework for data communications following negotiations between Commissioner Reynders and U.S. Secretary of Commerce Raimondo. In October 2022, President Biden signed a relevant decree ("Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities"), which was supplemented by executive orders issued by U.S. Attorney General Garland. These two instruments transposed into U.S. law the commitments made by the United States under this agreement in principle and supplemented the obligations of U.S. companies within the EU-U.S. data protection framework.
A key element of the U.S. legal framework that enshrines these safeguards is the U.S. Decree Enhancing Safeguards for United States Signals Intelligence Activities ("Enhancing Safeguards for United States Signals Intelligence Activities"), which addresses the criticisms raised by the Court of Justice of the European Union in the July 2020 "Schrems II" ruling.
The framework will be administered and overseen by the U.S. Department of Commerce. The U.S. Federal Trade Commission will enforce compliance by U.S. companies.
Source: Press release of the European Commission from 10.07.2023
Click here for the text of the adequacy decision: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en
