The European Commission has issued an adequacy decision for the EU-US Data Privacy Framework, allowing for the unrestricted flow of personal data from the EU to US companies participating in the framework. This decision comes after the adoption of new safeguards by the US government, aimed at addressing concerns raised by the Court of Justice of the European Union in its Schrems II decision.

The safeguards aim to ensure that data access by US intelligence agencies is limited to what is necessary and proportionate, with an independent redress mechanism in place for Europeans to address any complaints regarding the collection of their data for national security purposes. These safeguards apply to all data transfers under the GDPR, enabling the use of various tools, including standard contractual clauses and binding corporate rules.

Enhanced and Improved Safeguard Mechanisms

The EU-US Data Privacy Framework has been introduced to address concerns raised by the European Court of Justice regarding the protection of personal data. It includes binding safeguards and establishes a Data Protection Review Court (DPRC) that allows EU individuals access to redress mechanisms.

Compared to its predecessor, the Privacy Shield, the new framework introduces significant improvements. It limits access to EU data by US intelligence services to what is necessary and proportionate and empowers the DPRC to order the deletion of data collected in violation of the safeguards. US companies importing data from the EU will have additional obligations to ensure government access to data aligns with privacy requirements.

European Commission President Ursula von der Leyen emphasised that the framework ensures safe data flows for Europeans, strengthens economic ties, and upholds shared values. Collaboration between the EU and the US has led to the resolution of complex issues, bolstering trust in data protection.

Obligations for US Companies

US President Biden issued an executive order imposing stricter data privacy measures on US intelligence agencies. To participate in the EU-US Data Privacy Framework, US companies must commit to privacy obligations, including deleting unnecessary personal data and maintaining continuity of protection when sharing data with third parties. Furthermore, the level of protection afforded to personal data transferred from the EU to organisations in the US must not be undermined by the further transfer of such data to a recipient in the US or another third country.

Redress Mechanisms for EU Individuals

EU individuals benefit from independent dispute resolution mechanisms and an arbitration panel if their data is mishandled by US companies. These avenues provide free of charge options for seeking redress.

The newly created DPRC will in turn allow EU individuals to address concerns regarding the collection and use of their data by US intelligence agencies. The court will independently investigate and resolve complaints, with the power to adopt binding remedial measures.

Government Access Safeguards

The US legal framework incorporates safeguards for government access to data, particularly in criminal law enforcement and national security domains. Access is limited to what is necessary and proportionate to protect national security.

Implementation and Enforcement

The US Department of Commerce will oversee and manage the administration of the new EU-US Data Privacy Framework, ensuring its proper implementation. On the other hand, the responsibility of ensuring compliance by US companies lies with the US Federal Trade Commission, which will enforce the necessary measures.

Facilitating Transatlantic Data Flows

The safeguards implemented by the US apply not only to the EU-US Data Privacy Framework but also facilitate data transfers using other tools like standard contractual clauses and binding corporate rules, promoting transatlantic data flows.

Next Steps and Review Process

The EU-US Data Privacy Framework will undergo periodic reviews by the European Commission, European data protection authorities, and competent US authorities. The first review, within a year of the adequacy decision's entry into force, will ensure effective implementation of relevant elements in the US legal framework.

Imminent Legal Challenges

Although 24 EU countries and tech companies such as Meta voiced their support for the new deal, others have shown scepticism due to 'insufficient protections'. As previously reported on our blogpost 'US adequacy decision to be met by legal challenges from privacy advocates', activist groups are expected to contest the new EU-US Data Privacy Framework by seeking an injunction in a national court against a company relying on the new adequacy decision. Such cases will likely be referred to the EU's highest court. Max Schrems, for instance, stated that he intends to challenge the new deal at the European Court of Justice in early 2024. Amongst the main concerns raised, is the continuous "bulk surveillance" and claims that the new DPRC is not an "actual" court in the normal meaning of the US Constitution but rather a body within the US government's executive branch.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.