On 10 July 2023 the European Commission announced the adoption of an adequacy decision in respect of the United States of America (the "EU-US Data Privacy Framework"). The EU-US Data Privacy Framework will enter into force on 11 July 2023.
On the basis of the new adequacy decision, which concludes that the United States data privacy laws ensure an adequate level of protection of personal data, personal data can flow safely from the European Union to companies based in the United States that are participating in the EU-US Data Privacy Framework, without having to put in place additional data protection safeguards (e.g. standard contractual clauses).
The European Commission has noted that the EU-US Data Privacy Framework:
- contains binding safeguards that will limit access to personal data of EU-based individuals by United States intelligence services to what is necessary and proportionate;
- provides EU-based individuals whose personal data is transferred to the United States with rights of access to their personal data and the right to obtain correction or deletion of their personal data; and
- establishes a Data Protection Review Court (DPRC), to which EU individuals will have access to seek redress for breaches of their rights regarding the collection and processing of their personal data. The DPRC will be empowered to order the deletion of personal data collected in violation of the EU-US Data Privacy Framework.
Companies based in the United States will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations. These obligations will include commitments to delete personal data when it is no longer necessary for the purpose for which it was collected. Companies based in the United States will also need to commit to binding third parties with whom EU personal data is shared to adhere to the EU-US Data Privacy Framework also.
The European Commission has noted that even where a US-based recipient of personal data has not signed up to the EU-US Data Privacy Framework, the safeguards put in place by the US government in connection with the EU-US Data Privacy Framework will facilitate the use of other tools, such as standard contractual clauses and binding corporate rules, for making transfers of personal data to the United States.
As with other EU adequacy decisions, the EU-US Data Privacy Framework will be the subject of periodic review by the European Commission to ensure that the United States data privacy laws continue to provide adequate protection for the personal data of EU-based individuals. The first such review will take place within a year of the EU-US Data Privacy Framework entering into force.
While the introduction of the EU-US Data Privacy Framework has been well signposted in the last few months and has been welcomed by many, it is likely that the EU-US Data Privacy Framework will be subject to legal challenge in the coming months, as was the case with previous frameworks for the protection of transfers of personal data between the European Union and the United States (e.g. Safe Harbour and the Privacy Shield).
As such, while the EU-US Data Privacy Framework brings legal certainty regarding the status of transfers of personal data from the European Union to the United States for now, organisations engaging in the transfer of personal data to the United States will need to continue monitoring developments in the area.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.