Table of contents of the article:
Today the European Commission has taken a new adequacy decision regarding the EU-US framework for the protection of personal data. Concluding that the US provides an adequate level of protection, similar to that of the European Union, for personal data transferred from the EU to US companies under the new framework. This decision allows for a secure flow of personal data from the EU to US companies that join the framework, without additional data protection requirements.
The New EU-US Data Protection Framework
The EU-US framework for the protection of personal data introduces new binding measures to address all the concerns expressed by the Court of Justice of the European Union. These include limiting US intelligence services' access to EU data to what is necessary and proportionate, and creating a Data Protection Review Court (DPRC), accessible to citizens of the EU. EU. The new framework brings significant improvements over the previous Privacy Shield mechanism. For example, if the DPRC believes that the data has been collected in violation of the new guarantees, it can order their deletion.
President Ursula von der Leyen said: “The new EU-US framework for the protection of personal data will ensure secure data flows for European citizens and bring legal certainty to businesses on both sides of the Atlantic… This shows that, working together, we can tackle the most complex issues.”
Protections and Obligations for US Businesses
American companies can join the EU-US framework for personal data protection by committing to a detailed set of privacy obligations. These include the obligation to erase personal data when it is no longer needed for the purpose for which it was collected and to ensure continuity of protection when personal data is shared with third parties.
Recourses and Guarantees for EU Citizens
The EU-US personal data protection framework introduces innovative binding safeguards to address all concerns raised by the Court of Justice of the European Union. This includes limiting access to European data by US intelligence services to the necessary and proportionate amount, and establishing a specific Data Protection Review Court (DPRC), to which the EU citizens will be able to access. The new framework brings significant improvements over the existing mechanism under the Privacy Shield. For example, if the DPRC determines that the data has been collected in violation of the new guarantees, it can order its deletion. The new safeguards regarding access to data by public authorities will complement the obligations that US companies importing data from the EU will have to meet.
Further Implications and Next Steps
The guarantees offered by the United States will also facilitate transatlantic data flows in general, as they also apply when data is transferred through other means, such as standard contractual clauses and binding corporate rules.
The functioning of the EU-US framework for the protection of personal data will be subject to periodic reviews by the European Commission in collaboration with representatives of the European data protection authorities and the competent US authorities.
Scope and Regulatory Context
Article 45(3) of the General Data Protection Regulation (GDPR) gives the European Commission the ability to determine, through enforcement measures, whether an external country offers “an adequate level of protection”. This translates into personal data protection which is essentially equivalent to that guaranteed in the European Union. By virtue of an adequacy decision, personal data can flow freely from the EU (and also from Norway, Liechtenstein and Iceland) to a third country, without encountering further obstacles.
Reformulation of the Regulatory Framework after the Previous Decision
Following the annulment of the previous EU-US Privacy Shield adequacy agreement by the Court of Justice of the EU, the European Commission and the US government entered into conversations on a new framework addressing the issues raised by the Tribunal.
In March 2022, President Ursula von der Leyen and President Joe Biden announced that they had reached agreement in principle on a new framework for transatlantic data flows, following negotiations between Commissioner Reynders and the States' Secretary of Trade Gina Raimondo joined. In October 2022, President Biden signed an executive order to strengthen safeguards applicable to US-led signals intelligence activities, which was complemented by regulations issued by US Attorney General Merrick Garland. These two instruments, taken together, implemented the commitments made by the United States under the Agreement in Principles into US law and extended the obligations to US companies that fall under the EU-US framework for the protection of personal data.
Fundamentals of the New US Regulatory Framework
A cornerstone of the US legal framework establishing these safeguards is the Presidential Executive Order on Enhancing Safeguards Applicable to US-led Signals Intelligence Activities. This order responds to the concerns expressed by the Court of Justice of the European Union in the Schrems II decision of July 2020.
Management and Control of the Regulatory Framework
The data protection framework is managed and monitored by the US Department of Commerce. The US Federal Trade Commission will ensure that US companies comply with the provisions of the framework.
In conclusion, the adoption of the new EU-US data protection framework represents an important step forward in protecting the privacy of EU citizens. Binding safeguards, limiting access to data by US intelligence services and the establishment of the Data Protection Review Court are crucial elements of this new system. The evolution from the previous Privacy Shield is significant, with the addition of stronger security measures and greater transparency. US companies importing data from the EU will now be subject to stricter obligations, thus ensuring better protection of European citizens' personal data. This represents a major leap forward towards a future where data privacy is respected on both sides of the Atlantic.