On 10 July 2023, the EU Commission adopted its adequacy decision for the EU-US Data Privacy Framework (“Framework”). After years of negotiations between the EU and the US, the EU Commission concluded that the US offers an adequate level of protection for personal data transferred from a controller or processor in the European Economic Area (“EEA”) to US companies that abide by the obligations under the Framework.
The adequacy decision was adopted in light of Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) signed by President Biden, which introduced new safeguards for US signals intelligence activities as a way to address the concerns raised by the Court of Justice of the EU in its Schrems II ruling of July 2020.
1. What safeguards have been introduced?
- Binding safeguards that limit access to data by US intelligence services. The Framework introduces new principles of necessity and proportionality with regard to the access and use of personal data by US intelligence services.
- Establishment of an independent and impartial two-tier redress mechanism. The Framework introduces two independent and binding authorities to handle complaints about the processing of personal data by US intelligence services made by individuals whose personal data has been transferred from the EU to the US. Individuals can first address their complaint to the Civil Liberties Protection Officer of the US Intelligence Community. They can then appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court.
- New obligations for companies. The Framework is based on a certification system through which US companies commit to a set of privacy principles (e.g. purpose limitation, data minimisation and data retention). The list of certified companies will be made public soon by the Department of Commerce.
- New rights for data subjects. The Framework provides EU individuals whose personal data would be transferred to certified companies in the US with new rights, without the need for justification, such as the right to access, correct and/or delete incorrect or unlawfully handled data.
- Enhanced oversight. The Framework also introduces renewed commitments by the Federal Trade Commission and the Department of Transportation to ensure the compliance of US certified companies with their obligations under the Framework, and also by the Department of Commerce to ensure the effective administration and supervision of the Framework.
2. What is the impact of the adequacy decision?
The adequacy decision applies as of the date of its entry into force (10 July 2023) and allows the free and safe transfer of personal data from public and private entities in the EEA to US certified companies, without having to put in place additional data protection safeguards.
In addition, the safeguards put in place by the US to limit access to data by intelligence services and the redress mechanisms apply to all data transfers subject to the GDPR to companies in the US, regardless of the transfer mechanisms used.
The Framework has, however, already been criticised by a variety of stakeholders. They consider that the Framework is merely a copy of the failed Privacy Shield and is thus still not robust enough to address the fundamental issues raised by the Schrems II ruling. One should therefore expect the Framework to be challenged before the Court of Justice of the EU in the future.