The European Commission adopts new adequacy decision

The European Commission today adopted its adequacy decision for the EU-US data protection framework. The decision concludes that the United States ensures an adequate level of data protection - comparable to that of the European Union - for personal datatransferred from the EU to US companies under the new framework. Due to the new adequacy decision personal data can be securely transferred from the EU to US companies participating in the Framework without having to take additional data protection precautions.

The EU-US Privacy Framework introduces new binding safeguards to address all concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence agencies to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC) to which EU citizens will have access. Compared to the Privacy Shield significant improvements. If the DPRC discovers that data has been collected in breach of the new security measures, it can Deletion of the data. The new provisions in the area of government access to data complement the obligations to which US companies will be subject when importing data from the EU.

President Ursula von der Leyen said: "The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for companies on both sides of the Atlantic. Following the agreement in principle reached with President Biden last year, the US administration has implemented unprecedented commitments to establish the new framework. Today we are taking an important step to give citizens confidence that their data is secure, to deepen our EU-US economic relationship while reaffirming our shared values. It shows that by working together we can solve complex problems."

US companies can join the EU-US Privacy Framework by agreeing to comply with a detailed set of data protection obligations, such as the commitment to personal data to delete it when it is no longer necessary for the purpose for which it was collected and to continue protection when personal data be shared with third parties.

EU citizens will have several ways to complain if their data is mishandled by US companies. These include independent dispute resolution mechanisms and an arbitration panel, which will be available free of charge.

In addition, the US legal system provides a number of safeguards with respect to access by US authorities to data transferred under the Framework, in particular for criminal investigations and national security purposes. Access to data is limited to what is necessary and appropriate to protect national security.

EU citizens will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, including a newly created Data Protection Review Tribunal (DPRC). The tribunal will independently review and resolve complaints by taking binding remedial action.

The safeguards introduced by the US also facilitate transatlantic data flows in general, as they also apply when data is transferred using other instruments such as Standard contractual clauses and binding company rules.

Next steps

The functioning of the EU-US data protection framework is subject to regular reviews carried out by the European Commission together with representatives of the European data protection authorities and the relevant US authorities.

The first review will take place within one year of the adequacy decision taking effect to verify that all relevant elements in the US legal system have been fully implemented and are functioning effectively in practice.

Background

Article 45(3) of the General Data Protection Regulation (GDPR) gives the Commission the power to determine, by means of an implementing act, that a non-EU country ensures an "adequate level of data protection" - a level of data protection for personal datawhich essentially corresponds to the level of protection within the EU. Adequacy decisions can personal data flow freely from the EU (as well as Norway, Liechtenstein and Iceland) to a third country without further obstacles.

Following the revocation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the European Union, the European Commission and the US government have started negotiations on a new framework to address the issues raised by the Court.

In March 2022, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new transatlantic data flow framework, following negotiations between Commissioner Reynders and US Secretary Raimondo. In October 2022, President Biden signed an executive order to "enhance safeguards for U.S. signals intelligence activities," which was supplemented by regulations issued by Attorney General Garland.