The European Commission has adopted its adequacy decision for the EU-US Data Privacy Agreement, allowing organizations to engage in the free flow of personal data between the two regions without additional safeguards.
The announcement on July 10, 2023, confirms a preliminary agreement between the US government and the EU for a new Data Privacy Framework in March 2022. This model replaces the previous Privacy Shield arrangement between the two regions, which was ruled unlawful by the Court of Justice of the European Union (CJEU) under GDPR rules in the Schrems II case in 2020.
This ruling was due to concerns that US law enforcement agencies could access data transferred from the EU to the US. As a result, the process of transferring personal data from the EU to the US has become far more complex, with organizations having to use alternative mechanisms like standard contractual clauses.
Commenting on the new framework, President of the European Commission, Ursula von der Leyen, said: “The new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.
“Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
In coming to the decision, the European Commission concluded that the US has an adequate level of data protection comparable to that of the EU, allowing personal data to be transferred safely across the Atlantic. The EU said the updated framework addresses concerns raised in the CJEU’s decision in Schrems II. This includes “limiting access to EU data by US intelligence services to what is necessary and proportionate” to protect national security.
In addition, EU citizens will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies in the form of a newly created Data Protection Review Court (DPRC).
This court will have powers to address violations of the Data Privacy Framework, such as ordering the deletion of data that was collected in contravention of the agreement.
In a statement, US Secretary of Commerce Gina Raimondo welcomed the Commission’s adoption of the adequacy decision, and outlined the importance of the mechanism in facilitating economic growth.
“Trans-Atlantic data flows underpin more than $1trn in cross-border trade and investment per year and create greater economic opportunities for companies and citizens on both sides of the Atlantic. The DPF will be a particularly valuable tool for small and medium-size businesses that wish to participate in the transatlantic economy, providing an affordable and straightforward means of transferring personal data consistent with EU law,” she outlined.
Next Steps and Reaction
The EU said that there will be periodic reviews of the functioning of the EU-US Data Privacy Framework carried out by the Commission in conjunction with other European data authorities and competent US authorities. The first will take place within a year of entry into the force of the adequacy decision, which was 10 July 2023.
Rohan Massey, head of data, privacy and cybersecurity practice at law firm Ropes & Gray, said the new data transfer mechanism will be a relief to commercial organizations, which have spent three years “in limbo,” unsure if their data transfers were lawful.
“The Framework will also benefit organizations relying on standard contractual clauses for data transfers, as they will be able to cite some of the EU-U.S. Data Privacy Framework protections as relevant to their requirements for technical and organizational measures needed to protect data outside the EEA,” he added.
However, responding to the announcement, Noyb - European Center for Digital Rights, said it will be challenging the decision in the courts, with the framework likely to be back at the CJEU “in a matter of months.”
The non-profit organization, founded by privacy campaigner Max Schrems, claimed that the new data transfer mechanism has the same fundamental problems as the previous Privacy Shield “as the US still takes the view that only US persons are worthy of constitutional rights” under Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Schrems stated: "They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again, the current Commission seems to think that the mess will be the next Commission's problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702."
In June 2023, the UK and US reached a commitment in principle to create a ‘data bridge’ to enable the free flow of data between the two nations – essentially, a UK extension to the EU-US Data Privacy Framework.