Didier Reynders – Photo © European Union 2023
(BRUSSELS) – The United States ensures an adequate level of protection for personal data transferred from the European Union to US companies under the new framework, the EU concluded Monday.
Adopting its adequacy decision for the EU-U.S. Data Privacy Framework, the Commission’s decision concludes that the level of U.S. data protection is comparable to that of the European Union under the new framework.
On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.
The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.
The US has implemented ‘unprecedented commitments’ to establish the new framework, Commission president Ursula von der Leyen said: “Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
EU individuals will benefit from several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.
In addition, the US legal framework provides for a number of safeguards regarding the access to data transferred under the framework by US public authorities, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU individuals will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC). The Court will independently investigate and resolve complaints, including by adopting binding remedial measures.
The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules.
Adequacy decision on the EU-US Data Privacy Framework
EU-US Data Privacy Framework - guide
Factsheet Transatlantic Data Privacy Framework
EU-US data transfers (europa.eu)
International dimension of data protection (europa.eu)
Adequacy decisions (europa.eu)
Joint Statement on Trans-Atlantic Data Privacy Framework (europa.eu)
