The European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the US ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from the EU/EEA to US companies under the new framework. Under the adequacy decision, personal data can flow from the EU/EEA to US companies participating in the Framework, without having to put in place additional data protection safeguards.
The EU-U.S. Data Privacy Framework introduces new binding safeguards aimed at addressing the concerns raised by the European Court of Justice in the Schrems cases, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court, to which EU individuals will have access. The Commission says that the new framework introduces significant improvements compared to the mechanism that existed under the new Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards around government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
EU individuals will have several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel, as well as the Court mentioned above.
The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules.
Next steps
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities. The first review will take place within a year of the entry into force of the adequacy decision to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.
However, it seems likely that the new Framework will also be subject to legal challenge – it remains to be seen whether such legal challenges will be effective or whether the new Framework is robust enough to cover concerns.