Sun, Jul
68 New Articles

EU-U.S. Data Privacy Framework: A New Adequacy Decision for Transatlantic Data Flows

EU-U.S. Data Privacy Framework: A New Adequacy Decision for Transatlantic Data Flows

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On July 10, 2023, the European Commission (“Commission“) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). The decision concludes that the United States (“US”) ensures an adequate level of data protection – comparable to that of the European Union (“EU“).

What does this mean for EU Individuals and Businesses?

The much-anticipated decision brings a conclusive resolution to the legal uncertainties surrounding the export of EU users’ data by US companies, an issue that has troubled thousands of businesses in recent years. The General Data Protection Regulation (“GDPR“) empowers the Commission to determine, through an implementing act, whether a non-EU country ensures an “adequate level of protection” for personal data equivalent to that provided within the EU. With the new adequacy decision in place, personal data can now flow securely and freely from the EU to US companies participating in the EU – US DPF, eliminating the need for additional data protection measures like Standard Contractual Clauses (“SCC“) or Binding Corporate Rules (“BCR“).

Fundamental Principles of the Novel EU-U.S. Data Privacy Framework

A new set of rules and binding safeguards limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
A new two-tier redress system to investigate and resolve complaints of Europeans on access to data by US Intelligence authorities, which includes a Data Protection Review Court (“DPRC“). Individuals can submit a complaint to their national data protection authority, even if they don’t know if US intelligence agencies collected their data. Afterward, DPRC will independently investigate and resolve complaints, including by adopting binding remedial measures;
Strong obligations for companies processing data transferred from the EU include the requirement to self-certify that they adhere to the standards through the US Department of Commerce.
US companies can join the EU-U.S. DPF by pledging to adhere to a comprehensive set of privacy obligations. These obligations include deleting personal data when it’s no longer necessary for the original purpose of collection and ensuring the continuous protection of data shared with third parties.

The EU-U.S. DPF introduces enforceable measures that address the concerns highlighted by the Court of Justice of the European Union (“CJEU”) in its Schrems II decision of July 2020. These measures include restricting access to EU data by US intelligence services to what is essential and proportionate and establishing DPRC to handle complaints from European individuals regarding collecting their data for national security reasons.

Compared to the Privacy Shield, the new Framework brings about significant improvements. For instance, if the DPRC determines that data was collected violating the new safeguards, it will have the authority to mandate the deletion of such data. The enhanced safeguards related to government access to data will complement the obligations required of US companies importing data from the EU.

EU individuals will benefit from several redress mechanisms if US companies wrongly handle their data. The safeguards put in place by the US will also facilitate transatlantic data flows more generally since they also apply when data is transferred by using other tools, such as SCCs and BCRs.

Looking to the Future

The adequacy decision came into effect upon its adoption on July 10, 2023. To ensure the ongoing protection of personal data belonging to individuals in the EU, the Commission will conduct periodic reviews of the EU-U.S. DPF. The first review is scheduled to occur within a year of the EU-U.S. DPF’s operation.

Stay tuned for further details on the EU-U.S. DPF and the self-certification process, which will be revealed on the US Department of Commerce’s dedicated EU-U.S. DPF website. The US Department of Commerce manages and oversees the Framework, while the US Federal Trade Commission will be vigilant in enforcing compliance among US companies.

Making a Change or Putting a Band-Aid on the Data Transfer Issue?

The transfer of personal data from the EU to the US was ruled illegal by the CJEU in two landmark cases, with the latest one being Schrems II, which highlighted concerns about disproportionate access and inadequate protection of European bulk data by US security agencies. After the CJEU invalidated the previous adequacy decision on the EU-U.S. Privacy Shield, the Commission and the US government engaged in discussions to create a new framework addressing the issues.

Although the EU-U.S. DPF has been well-anticipated and welcomed by many, it is expected to face legal challenges in the future, similar to previous frameworks like Safe Harbour and the Privacy Shield. Privacy activist Max Schrems, who initiated previously mentioned cases, emphasizes that mere claims of being “new,” “robust,” or “effective” won’t suffice in the eyes of the CJEU. Further, Schrems expects the newest version of the adequacy decision “to be back at the Court of Justice by the beginning of next year,” which could “even suspend the new deal while it is reviewing the substance of it.”

Will the CJEU deliver a decisive verdict that sets the stage for a harmonious date flow relationship between the EU and the US? Only time will tell. In the meantime, data keeps flowing, and the EU-U.S. DPF holds the key to a data-sharing saga!

By Milica Novakovic and Nikola Ivkovic, Associates, Gecic Law

Gecic Law at a Glance

Committed to redefining a law firm's role in an emerging regional market, Gecić Law is a full-service law firm that advises international and local clients from the public and private sectors in navigating the complex legal landscape of the region across multiple practice areas. Members of the Gecić Law team have graduated from leading universities in the US and Europe. They have extensive local and international experience, with a particular focus on EU regulatory frameworks and international trade and a proven track record in providing innovative and practical solutions in the most complex of matters.

Gecić Law is an exclusive member of two leading global alliances, TerraLex and TAGLaw, extending its international footprint. The firm and its lawyers have continuously been recognized in several practice areas by elite global directories, including The Legal 500, Chambers and Partners and Benchmark Litigation. Gecić Law was named Law Firm of the Year: South Eastern Europe 2021 and Law Firm of the Year: Eastern Europe and the Balkans 2020 at The Lawyer European Awards and was repeatedly nominated in other practice areas.

For more details, please visit geciclaw.com.