#28 New Adequacy Decision for Safe and Trusted EU-US Data Flows

On 10th of July 2023 an adequacy decision regarding the EU-U.S. Data Privacy Framework (‘The Framework’) was adopted by the European Commission (the Commission). The Commission decided the United States (US) ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from EU to US companies under the new Framework. As a consequence of the new decision personal data can flow from the EU to US companies participating in the Framework without additional data protection safeguards.

Background

  • The European Commission has the power to decide whether a non-EU country provides “an adequate level of protection”. The effect of such adequacy decision is that personal data can flow freely from the EU to the third country without further steps required from the data controllers.
  • After the previous adequacy decision on the EU-U.S. Privacy Shield was invalidated by the Court of Justice of the EU, the Commission and the US Government entered into discussions on a new framework.

What are the key points of the adequacy decision?

  • New binding safeguards applied by the US Government, mainly limiting access to EU data by US intelligence services to what is essential and proportionate to protect national security.  The transatlantic data flows will be facilitated since these safeguards put in place by the US Government also apply when data is transferred by companies that have not joined the EU – U.S. Privacy Framework  and use other tools for transfer – for example standard contractual clauses or binding corporate rules.
  • Opportunity of US Companies to join the Framework by committing to comply with a detailed set of privacy obligations. This includes the requirement to self-certify that they adhere to the standards through the US Department of Commerce.
  • Establishment of several redress avenues for persons in the EU in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.
  • EU individuals will have access to an independent and impartial two tiers redress mechanism regarding the collection and use of their data by US intelligence agencies. The first tier is the Civil Liberties Protection Officer and the second tier – the Data Protection Review Court (DPRC). EU individuals can submit a complaint to their national data protection authority which will ensure that the complaint is properly transmitted and that any further information relating to the procedure — including on the outcome — is provided to them. DPRC has powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and can take binding remedial decisions.

What is next?

  • Periodic reviews of the functioning of the EU-U.S. Data Privacy Framework will be carried out by the Commission together with representatives of European data protection authorities and competent US authorities.
  • The first review is scheduled within a year of the entry into force of the adequacy decision. By this time all relevant element that have been fully implemented in the US legal framework should be effectively practiced.

The adequacy decision entered into force with its adoption on 10 July 2023.

The Adequacy Decision can be found here