The EU Commission has adopted and adequacy decision for the transfer of data to the U.S.

The EU Commission has adopted and adequacy decision for the transfer of data to the U.S.

The EU Commission has adopted and adequacy decision for the transfer of data to the U.S.

We would like to inform you that on July 10, 2023, the EU Commission adopted the adequacy decision on the Data Privacy Framework for the transfer of personal data from the EU to U.S. companies participating in the EU-USA Data Privacy Framework, formally recognizing that the U.S. has an adequate level of protection compared to the EU.

President Ursula von der Leyen said: “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues“.

The EU Commission has, therefore, provided a new legal basis for the transfer of personal data to the United States, which can now be done freely, without the need for additional conditions or authorizations.

THE ADEQUACY DECISION AND THE OPINION OF THE EU PARLIAMENT

The adequacy decision is one of the instruments under Article 45 GDPR, through which the transfer of personal data from the EU to a third country is permitted. As previously reported to your attention in Alert No. 30/2023the European Parliament, in a resolution dated May 11, 2023, had expressed its opposition to the European Commission’s draft adequacy decision for the transfer of data from the EU to the U.S.

THE NEW SAFEGUARDS OF THE DATA PRIVACY FRAMEWORK

We point out the main safeguards provided in the “EU-US Data Privacy Framework”:

  • limitation of the power of access by U.S. intelligence services: they will be able to access personal data of European citizens only if deemed essential to fulfill a national security or criminal law enforcement purpose and against an assessment based on the proportionality principle;
  • establishment of the Data Protection Review Court (DPRC): establishment of the Data Protection Review Tribunal (DPRC), to which can appeal those who enjoy the protection of European legislation, in case they believe to have suffered a violation of their personal data. According to the Data Privacy Framework, the DPRC will impose on U.S. companies to delete the applicant’s personal data, in case it ascertains the violation of the guarantees;
  • establishment of a new independent and impartial complaint mechanism;
  • with regard to the obligations for U.S. companies, the Data Privacy Framework provided:

(i) an obligation to delete personal data when it is no longer necessary for the original purposes;

(ii) an obligation to ensure continuity of personal data protection when sharing with third parties.

THE REVIEW

An initial review has been scheduled within one year of the entry into force of the adequacy decision, in order to verify the correct implementation of the new safeguards within the U.S. legal framework.

The implementation of the EU-U.S. Data Protection Framework will be subject to periodic reviews conducted by the European Commission together with representatives of the European Data Protection Authorities and the relevant U.S. authorities.

THE FUTURE OF THE TRANSFER OF PERSONAL DATA TO THE US

The announcement of the EU Commission’s recent action has provoked mixed reactions: on the one hand, there is no doubt that the adequacy decision has brought a significant benefit for all those European companies that transfer personal data to the U.S. However, on the other hand, the validity of this adequacy decision may be only temporary and it may become subject to review before the EU Court of Justice.
In fact, the Court of Justice of the EU in the Schrems I and II decisions, has already invalidated previous agreements between the EU and the US regarding the transfer of personal data to the US.

For these reasons, We advise you to act with caution, especially when choosing data processors and, if possible, preferring operators located in the EU.

***

We would like to remind you that our professionals offer assistance in data protection and we remain available for any clarifications.