The European Commission has adopted a decision on the adequacy of the EU-US Data Privacy Agreement, allowing organizations to freely circulate personal data between the two territories without additional safeguards.
A July 10, 2023 announcement confirmed a preliminary agreement between the US government and the EU on a new data privacy framework in March 2022. This model replaces the previous Privacy Shield agreement between his two regions, which was ruled illegal by the courts. Judge of the European Union (CJEU) under the GDPR Regulations in the 2020 Schrems II case.
The ruling was driven by concerns that US law enforcement agencies might have access to data transferred from the EU to the US. As a result, the process of transferring personal data from the EU to the US becomes much more complicated, requiring organizations to use alternative mechanisms such as standard contractual clauses.
European Commission President Ursula von der Leyen commented on the new framework: “The new EU-US data privacy framework will guarantee safe data flows for Europeans and bring legal certainty to businesses on both sides of the Atlantic.”
“Following the agreement in principle reached with President Biden last year, the United States has made an unprecedented commitment to establish a new framework. We have taken an important step in deepening our economic ties and at the same time reaffirming our shared values, demonstrating that together we can address the most complex issues.”
In making this decision, the European Commission concluded that the United States has an adequate level of data protection comparable to that of the European Union, allowing the safe transfer of personal data across the Atlantic. The EU said the updated framework addresses concerns raised in the CJEU decision at Schrems II. This includes “restricting access to EU data by US intelligence services to what is necessary and appropriate” to protect national security.
In addition, EU citizens will have access to an independent and impartial remedy mechanism regarding the collection and use of their data by US intelligence agencies in the form of the newly created Data Protection Review Court (DPRC).
This court has the power to deal with violations of the Data Privacy Framework, including ordering the deletion of data collected in breach of contract.
In a statement, US Secretary of Commerce Gina Raimond welcomed the adoption of the adequacy decision by the European Commission and outlined the importance of the mechanism in promoting economic growth.
“Trans-Atlantic data flows support more than $1 trillion in cross-border trade and investment annually, creating greater economic opportunities for businesses and citizens on both sides of the Atlantic. It will be a particularly valuable tool for small and medium-sized businesses wishing to participate, providing an affordable and easy means of transferring personal data that complies with EU law,” she outlined.
Next steps and actions
The EU said there would be a regular review of the functioning of the EU-US Data Privacy Framework, which the European Commission will carry out in cooperation with other European data authorities and US competent authorities. The first will be within one year from the effective date of the adequacy decision (10 July 2023).
Rohan Massey, head of data, privacy and cybersecurity practice at law firm Ropes & Gray, said the new data transfer mechanism has led to three years of “hanging in the air” unsure whether the data transfer was legal. He said it would be a relief for for-profit organizations that have been in the business for a long time.
“This framework can cite the parts of the EU-US Data Privacy Framework protections that relate to the requirements for technical and organizational measures necessary to protect data outside the EEA, and therefore standard contractual clauses for data transfers. It also benefits organizations that rely on,” he added.
But following the announcement, Noyb, the European Center for Digital Rights, has challenged the decision in court, saying the framework is likely to return to the CJEU “in the coming months.”
The non-profit, founded by privacy activist Max Schrems, believes that the new data transfer mechanism does not include previous privacy protections, “because the United States still takes the view that only Americans deserve constitutional rights.” – Claimed to have the same fundamental problem as Shield. 702 of the Foreign Intelligence Surveillance Act (FISA).
“It’s been said that the definition of insanity is doing the same thing over and over and expecting different results,” Schrems said. It is based on political interests, not on the basis of political interests.Again, “The current Commission seems to think that confusion will be a problem for the next Commission.The United States needs to extend FISA 702 this year. However, with the announcement of the new agreement, the EU has lost the ability to implement the reforms of FISA 702.”
In June 2023, the UK and US reached an agreement in principle to build a “data bridge” that would allow the free flow of data between the two countries. This is essentially a UK extension to the EU-US Data Privacy Framework.
