Following a series of discussions between the European Commission and US Government, an adequacy decision for the EU-US Data Privacy Framework ('Framework') was adopted by the European Commission on 10th July 2023. This Framework is intended to replace the previously invalidated Privacy Shield framework and ensure an adequate level of protection afforded to personal data transferred from the EU to the US.
Background
In the Schrems II Ruling (CJEU-C-311/18), the CJEU invalidated the Privacy Shield which was in force at the time. A number of issues were brought forward, including the lack of effective judicial remedy available for EEA data subjects, as well as the fact that US national security laws do not adequately comply with EU standards of proportionality and necessity for data processing, allowing the US Government a disproportionate level of access to personal data.
The discussions which followed sought to provide stricter compliance with article 45(2) of the GDPR. The US consequently adopted an Executive Order 'Enhancing Safeguards for US Signals Intelligence Activities' (EO 14086), as well as a Regulation on the Data Protection Review Court which introduced new binding safeguards to address the issues identified in Schrems II. Both the EO 14086 and the Regulation complement the implementation of the Framework.
What now?
The new Framework provides for added protection to personal data, as well as the right to seek redress if data subjects believe that they are wrongfully targeted by US authorities' intelligence activities. In this respect, a newly founded Data Protection Review Court ('DPRC') will act as an independent and impartial judicial body. The DPRC has the power, amongst others, to independently investigate and resolve complaints while also adopting binding remedial measures.
Similar to the procedure under the Privacy Shield, US organisations are to apply for certification under the new Framework and commit to the specified privacy principles. The Framework is administered and monitored by the US Department of Commerce. Furthermore, the US Federal Trade Commission together with the US Department of Transportation are tasked with investigating and enforcing US companies' compliance with the Framework.
The Framework brings certified US Companies in line with EU data protection requirements, in particular the lawful processing of data, the deletion of personal data when it is no longer necessary for the purposes of processing, and the continuity of protection granted over the personal data when it is shared with third parties.
US authorities must also comply with certain requirements in place for the protection of personal data. Notably, the personal data accessed by US authorities must be limited to that which is necessary and proportionate for their purpose of processing.
This Framework is subject to periodic reviews which are to be carried out by the European Commission, representatives of European data protection authorities, and competent US authorities. The first review is to be carried out within a year of the entry into force of the Framework, in order to verify that all relevant elements have been fully implemented.
This adequacy decision is an important step towards achieving the much-desired legal certainty for both European as well as US businesses engaging in data transfers. ?Nevertheless, Max Schrems has already come forward claiming that this Framework is merely a copy of the invalidated Privacy Shield and does not truly address the concerns raised by the CJEU in Schrems II. It will be interesting to follow whether a formal challenge to this adequacy decision will be instituted, and if so, how the CJEU will decide.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
