Data protection: European Commission adopts new adequacy decision for secure data transfers between EU and US
The European Commission today adopted its adequacy decision for the EU-US data protection framework. The decision concludes that the United States ensures an adequate level of data protection - comparable to that of the European Union - for personal data transferred from the EU to US companies under the new framework. As a result of the new adequacy decision, personal data can be transferred securely from the EU to US companies participating in the Framework without the need for additional data protection safeguards.
The EU-US Privacy Framework introduces new binding safeguards to address all concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence agencies to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC) to which EU citizens will have access. The new framework brings significant improvements compared to the Privacy Shield. If the DPRC finds that data has been collected in breach of the new safeguards, it can order the deletion of the data. The new safeguards in the area of government access to data complement the obligations that US companies will be subject to when importing data from the EU.
President Ursula von der Leyen said: "The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for companies on both sides of the Atlantic. Following the agreement in principle reached with President Biden last year, the US administration has implemented unprecedented commitments to establish the new framework. Today we are taking an important step to give citizens confidence that their data is secure, to deepen our EU-US economic relationship while reaffirming our shared values. It shows that by working together we can solve complex problems."
US companies can join the EU-US data protection framework by agreeing to comply with a detailed set of data protection obligations, such as the obligation to delete personal data when it is no longer necessary for the purpose for which it was collected and to continue protection when personal data is shared with third parties.
EU citizens will have several ways to complain if their data is mishandled by US companies. These include independent dispute resolution mechanisms and an arbitration panel, which will be available free of charge.
In addition, the US legal system provides a number of safeguards with respect to access by US authorities to data transferred under the Framework, particularly for criminal investigations and national security purposes. Access to data is limited to what is necessary and appropriate to protect national security.
EU citizens will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, including a newly created Data Protection Review Tribunal (DPRC). The tribunal will independently review and resolve complaints by taking binding remedial action.
The safeguards introduced by the US also facilitate transatlantic data flows in general, as they also apply when data is transferred using other instruments such as standard contractual clauses and binding corporate rules.
Next steps
The functioning of the EU-US data protection framework is subject to regular reviews carried out by the European Commission together with representatives of the European data protection authorities and the relevant US authorities.
The first review will take place within one year of the adequacy decision taking effect to verify that all relevant elements in the US legal system have been fully implemented and are functioning effectively in practice.
Background
Article 45(3) of the General Data Protection Regulation (GDPR) gives the Commission the power to determine, by means of an implementing act, that a non-EU country ensures an "adequate level of data protection" - a level of data protection for personal data that is essentially equivalent to the level of protection within the EU. Adequacy decisions allow personal data to flow freely from the EU (as well as Norway, Liechtenstein and Iceland) to a third country without further obstacles.
Following the annulment of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the European Union, the European Commission and the US government have started negotiations on a new framework that addresses the issues raised by the Court.
In March 2022, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new transatlantic data flow framework, following negotiations between Commissioner Reynders and US Secretary Raimondo. In October 2022, President Biden signed an executive order to "enhance safeguards for U.S. signals intelligence activities," which was supplemented by regulations issued by Attorney General Garland.