Today the European Commission issued an adequacy decision on the EU-US data protection framework. The ruling concludes that the United States provides an adequate level of protection — comparable to that of the European Union — for personal data transferred from the EU to US companies under the new framework. Under the new adequacy decision, personal data can flow securely from the EU to US companies participating in the framework without the need to put in place additional data protection safeguards.

The EU-US data protection framework introduces new binding safeguards to address all the concerns raised by the Court of Justice of the European Union, including limiting US intelligence services’ access to EU data to what is necessary and proportionate , and the creation of a Data Protection Review Tribunal (DPRC), which will be accessible to individuals from the EU. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that the data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of ​​government access to data will complement the obligations that US companies importing data from the EU will have to meet.

President Ursula von der Leyen said: “The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for companies on both sides of the Atlantic. Following the agreement in principle reached last year with President Biden, the US has made unprecedented commitments to establish the new framework. Today we are taking an important step to give citizens the confidence that their data is safe, deepen the economic ties between the EU and the US, and at the same time reaffirm our shared values. It proves that, through cooperation, we can tackle even the most complex issues.”

US companies will be able to join the EU-US data protection framework by committing to comply with a detailed set of privacy obligations, for example requiring the deletion of personal data when it is not no longer necessary for the purpose for which they were collected, as well as to ensure continuity of protection when personal data is shared with third parties.

EU citizens will benefit from various remedies if their data is mishandled by US companies. This includes free independent dispute resolution mechanisms and a dedicated arbitration panel.

In addition, the US legal framework provides certain safeguards regarding US public authorities’ access to data transferred under the framework, in particular for criminal law enforcement and national security purposes: Access to data is limited to what is necessary and proportionate to protect national security.

Regarding the collection and use of their data by US intelligence services, EU citizens will have access to an independent and impartial appeal mechanism, which includes the newly established Data Protection Review Tribunal (DPRC). The Court will independently investigate and resolve complaints, including by taking binding remedies.

The safeguards put in place by the US will also facilitate transatlantic data flows more generally, as they also apply when data is transferred using other tools, such as standard contractual clauses and binding corporate rules.

Next steps

The operation of the EU-US data protection framework will be subject to periodic reviews, which will be carried out by the European Commission, together with representatives of the European data protection authorities and the US competent authorities.

The first review will take place within one year of the entry into force of the adequacy decision to verify that all relevant elements have been fully implemented in the US legal framework and are operating effectively in practice.

Record

Article 45(3) of the General Data Protection Regulation (GDPR) empowers the Commission to decide, by means of an implementing act, that a third country ensures an “adequate level of protection”, i.e. a level of protection of personal data that is substantially equivalent to the level of protection within the EU. Adequacy decisions result in the free flow of personal data from the EU (and Norway, Liechtenstein and Iceland) to a third country without further barriers.

After the Court of Justice of the EU overturned the previous adequacy decision on the EU-US Privacy Shield, the European Commission and the US government started discussions on a new framework to address the issues raised by the Court.

In March 2022 President von der Leyen and President Biden announced that they had reached an agreement in principle on a new transatlantic data flow framework, following negotiations between Commissioner Reyders and US Secretary of State Raimondo. In October 2022, President Biden signed an executive order entitled Enhancing Safeguards for United States Signals Intelligence Activities, which was supplemented by regulations issued by the US Attorney General . Together, these two instruments implemented the commitments made by the US under the agreement in principle into US law and complemented US companies’ obligations under the EU-US data protection framework.

A key element of the US legal framework enshrining these safeguards is the US Executive Order on “Strengthening Safeguards for United States Signals Intelligence Gathering Activities”, which responds to concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020.

The framework is administered and monitored by the US Department of Commerce. The US Federal Trade Commission will enforce compliance by US companies.

Lena Flitzani