The European Commission has adopted this summer its adequacy decision on the EU-US data protection framework. The decision concludes that the US ensures an adequate level of protection - comparable to that of the EU - for personal data transferred from the EU to US companies.
Under the new adequacy decision, personal data can flow securely from the EU to US companies participating in the framework, without any additional data protection safeguards being required. The EU-US data protection framework introduces new binding safeguards to address all the concerns raised by the Court of Justice of the European Union, including limiting US intelligence services' access to EU data to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC) to which EU citizens will have access.
The new framework brings significant improvements compared to the mechanism in place under the Data Protection Shield. For example, if the DPRC finds that data has been collected in violation of the new safeguards, it will be able to order the data to be deleted. The new safeguards for government access to data will complement the obligations to which US companies importing data from the EU will be subject.
The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic (...) The United States has made unprecedented commitments to establish the new framework.said President Ursula von der Leyen
US companies will be able to join the EU-US data protection framework by agreeing to comply with a detailed set of privacy obligations, such as the obligation to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
EU citizens will benefit from a number of legal remedies if their data is incorrectly processed by US companies. These include independent dispute resolution mechanisms and a special arbitration panel.
In addition, the U.S. legal framework provides a number of safeguards for U.S. government access to data transferred under the framework, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU citizens will have access to an independent and impartial appeal mechanism with regard to the collection and use of their data by the US intelligence services, which includes a newly Data Protection Review Court (DPRC). The Court will independently review and adjudicate claims, including adopting binding remedies.The safeguards put in place by the US will also facilitate transatlantic data flows, as they also apply when data is transferred using other tools, such as standard contractual clauses and binding corporate rules.
The effectiveness of the EU-US data protection framework will be the subject to periodic reviews by the European Commission, in collaboration with representatives of the European data protection authorities and the relevant US authorities.
The first review will take place within one year of the adequacy decision's entry into force, in order to verify that all relevant aspects have been fully implemented in the U.S. legal framework and are operating efficiently and effectively.
Article 45(3) of the General Data Protection Regulation gives the Commission the power to decide, by implementing acts, that a third country ensures "an adequate level of protection" which means a level of protection of personal data substantially equivalent to that guaranteed within the EU.
Adequacy rulings have the effect of allowing the free transfer of personal data from the EU (as well as Norway, Liechtenstein and Iceland) to a third country without further barriers.
Following the invalidation by the European Court of Justice of the previous adequacy decision on the EU-US Data Protection Shield, the European Commission and the US government began discussions on a new framework that addressed the concerns raised by the Court.
A key element of the US legal framework enshrining these safeguards is the US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which responds to concerns expressed by the Court of Justice of the European Union in its Schrems II decision of July 2020.
The framework is managed and controlled by the US Department of Commerce. The U.S. Federal Trade Commission will ensure that U.S. companies comply with the rules.
Find out more.