On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework in relation to data flows between the European Union (EU) and the United States of America (US), in accordance with Article 45§3 of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of their personal data (the “GDPR”).
The European Commission formally recognized the EU – US data flows as safe and trusted, only under certain conditions. In its decision, the European Commission concludes that the US ensures an adequate level of protection for personal data transferred from the EU to certified US companies under the EU-U.S. Data Privacy Framework.
A. From the invalidation of the Privacy Shield to the new Adequacy Decision
- The European Commission’s new decision comes three years after the European Court of Justice invalidated European Commission’s Decision on the adequacy of the protection provided by the EU-US “Privacy Shield”. The Court then determined that the Privacy Shield transfer mechanism did not comply with the level of protection required under the EU data protection law. Also, it considered that there was no cause of action nor effective remedy available for data subjects whose data were transferred to the US.
- The Court’s decisions invalidating the previous framework highlighted the limitations to the protection of personal data arising from the US domestic law, particularly concerning access and use by US public authorities for national security purposes.
- After several years of negotiations, the European Commission now concluded that the US does provide an adequate level of protection of personal data equivalent to that of the EU, but only under the new framework and only for data transfers to certified US organizations.
B. The new provisions of the EU-US Data Privacy Framework (DPF)
The new EU-US DPF introduces significant improvements compared to the mechanism that existed under the Privacy Shield. It introduces new principles regarding data transfers from the EU to the US and binding safeguards to ensure the necessary protection of EU personal data from unwanted access by US authorities. Specifically, the new provisions of the DPF are the following:
- New rights for EU individuals: The DPF provides EU individuals whose data are transferred to certified companies in the US with several new rights (i.e. right to obtain access to their data, right to obtain correction or deletion of incorrect or unlawfully handled data).
- Redress Avenues: The DPF offers redress avenues in case EU data subjects’ data is wrongly handled, including free of charge independent dispute resolution mechanisms and an arbitration panel.
- Limiting Access to EU individuals’ data: The DPF provides for a number of safeguards regarding the access to data transferred under the framework by US public authorities, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
- Data Protection Review Court (DPRC): Under the DPF, EU individuals may proceed to the DPRC, which provides to data subjects an independent and impartial redress mechanism. The Court will independently investigate and resolve EU citizens’ complaints regarding potential violations of the new measures.
- New set of Data Protection Principles: The new DPF introduces a new set of principles similar to the basic principles under the GDPR: purpose limitation, processing of special categories of personal data, data accuracy, minimization and security, transparency, restrictions on onward transfers accountability.
C. The practical impact and Implementation
- No need for additional data protection safeguards: With the adoption of the Adequacy Decision, European entities are able to transfer personal data to participating companies in the US, without having to put in place additional data protection safeguards e.g. execution of standard contractual clauses (SCC) or binding corporate rules (BCRs). Nevertheless, the new DPF does not affect the direct application of the GDPR to such organizations where the conditions regarding the territorial scope of that Regulation, laid down in Article 3, are fulfilled.
- Self-Certification system: The DPF follows the example of its predecessors, the Safe Harbor and the Privacy Shield, by retaining a system of self-certification. The new DPF applies only to data transfers with certified US companies. To certify under the EU-U.S. DPF, US organizations are required to publicly declare their commitment to comply with the DPF.
- Self-Certification requires companies to submit information on their intended processing of EU personal data to the Department of Commerce (DoC) including a submission stating that the company adheres to the “EU-US Data Privacy Framework Principles” set out in the DPF.
- The DoC will include the certified company on a “DPF List” that will be publicly available online. The protection provided by the DPF will apply as of the inclusion on said list.
- DPF certified organizations must re-certify on an annually basis as to remain covered by the DPF. In case re-certification does not occur, the DoC will remove such companies from the DPF List and include them on a public record of organizations that have been removed from the list, in each case identifying the reason for such removal.
D. Final remarks
- The adequacy decision took effect immediately upon its adoption on the 10th of July 2023. The European Commission will continuously monitor developments in the US and conduct periodic reviews. The first review will occur within one year, in July 2024.
- Although the new Adequacy Decision may be appealed before the Court of Justice of the European Union, with the latter having the final say, the European Commission’s decision is an important step towards the safe transatlantic flow of personal data. The new Adequacy Decision increases the security in transatlantic data flows, which are an integral part of international business transactions. The Decision is particularly important for companies providing digital services and is expected to favor both the EU and US economies.
