Yesterday, 10 July 2023, the European Commission (“the Commission”) adopted the adequacy decision for the EU-US Data Privacy Framework (“the Framework”).
The result thereof is that the United States (“US”) is now regarded as an adequate country that ensures an adequate level of protection for personal data transferred from the European Union (“the EU”) to US companies participating in the Framework. Personal data can flow safely from the EU to the US without having to additional data protection safeguards in place.
The Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice (“CJEU”), which includes:
– Limiting access to EU data by US Intelligence Services to what is necessary and proportionate to protect national security; and
– The establishment of a Data Protection Review Court (“DPRC”) to which EU individuals have access to. The DPRC will independently investigate and resolve complaints, including adopting binding remedial measures.
US companies may join the Framework by committing to comply with a detailed set of privacy obligations. These include adhering to the principles of purpose limitation, data minimization and data retention and more specific obligations such as the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure the continuity of protection when personal data are shared with third parties.
The self-certification program will be administered by the US Department of Commerce, which will process applications for certifications and monitor when participating companies continue to meet the certification requirements. The US Federal Trade Commission will enforce compliance with the obligations under the EU-US Data Privacy Framework for US companies.
The Commission has indicated that it will continuously monitor relevant developments in the US and regularly review the adequacy decision. The first review will take place within one year after the entry into force of the adequacy decision to verify whether all relevant elements of the Framework are functioning effectively in practice.
The NGO “noyb” has already announced that they will challenge the decision since, they declare, the new agreement is basically a copy of the Privacy Shield and does not protect the rights of data subjects in a compelling way.
In the interim, the main points for organizations to consider:
– The adequacy decision enters into force with its adoption on 11 July 2023;
– These safeguards apply to transfers of personal data to the US regardless of the transfer mechanism relied upon. Therefore, these safeguards also facilitate the use of other tools, such as the Standard Contractual Clauses and Binding Corporate Rules;
– Transfer Impact Assessments (“TIAs”) for EU-US data transfers are bit more challenging. Technically, TIAs are not needed for transfers covered by the Framework as the Framework adequacy decision replaces the adequacy assessment in the TIA. Existing TIAs should be reconsidered to account for the changes to US surveillance laws. Lastly, it is important to note that TIAs are still required for transfers not covered by the Framework (read: not certified) whether to the US or other third countries;
– Monitor developments to ensure your organization makes use of the correct contractual template.
The question now remains whether to self-certify to the EU-US Data Privacy Framework or to continue using Standard Contractual Clauses?