The European Commission has formally adopted an adequacy decision that would allow personal data to flow freely again from the European Union to the United States under a new data framework. The move comes after years of negotiations following the invalidation of the EU-US Privacy Shield by the European Court of Justice in 2020.
The new EU-US Data Privacy Framework establishes a set of binding safeguards to address concerns about excessive surveillance by US intelligence agencies and access to EU citizens’ data.
These include limiting data access to what is necessary and proportionate for national security, and establishing an independent Data Protection Review Court that EU citizens can appeal to.
If the review court finds that data was collected improperly, it can order the data to be deleted. US companies will also have to commit to comply with strict data protection obligations and deletion requirements to participate in the framework.
Member Countries and the Parliament Are Next in Line to Review the Framework
The adequacy decision, if approved by EU member states and the European Parliament, would allow personal data transfers from the EU to participating US companies to resume without needing additional safeguards. Such flows reportedly underpin €900 billion in EU-US commerce annually.
However, some data privacy advocates have expressed skepticism that the new framework goes far enough to limit US surveillance. They argue that the final details of the framework are vague and the US safeguards are effectively voluntary.
Also read: 10 Best Stock Brokers UK for July 2023
The press release asserted that, after a thorough review of the North American nation’s practices, “the United States ensures an adequate level of [data and privacy] protection”.
However, the Commission said that it will closely monitor the framework’s implementation in a review that will be performed a year from now.
If successful, the framework could serve as a model for future data-transfer agreements between nations. However, its long-term durability may depend on how effectively the new oversight mechanisms and US commitments function in practice.
The agreement still faces hurdles from member states and MEPs concerned about protecting EU citizens’ data.
What Does This All Mean for EU and US Web and App Users?
The EU-US data framework establishes an “adequacy” agreement, meaning that the EU considers that the framework provides an “essentially equivalent” level of data protection to EU-based users.
Adequacy assessments consider not just a country’s privacy laws but available oversight and redress mechanisms. The framework introduces new safeguards and independent oversight to address EU concerns about US government access to data.
To participate, US companies must comply with strict obligations like limiting data retention and ensuring security. They must self-certify compliance with the US Department of Commerce, which monitors participating companies. Non-compliance will be enforced by the US Federal Trade Commission.
For EU citizens, the framework establishes redress avenues if their data is mishandled. This includes free independent dispute resolution and an arbitration panel.
Crucially, the framework establishes the independent Data Protection Review Court to handle EU citizens’ complaints about US intelligence agencies accessing their data.
The court members are appointed based on qualifications and can only be removed for cause, ensuring their independence from the US government. Each case also has a special advocate to ensure the complainant’s interests are represented.
After investigating a complaint, the Civil Liberties Protection Officer or Data Protection Review Court will inform the complainant whether a violation was found and remedied. At a later stage, the complainant will also be able to view the court’s reasoned decision, once it is no longer confidential.
The EU will conduct a review of the framework within one year to verify that the US safeguards are functioning effectively in practice. Further reviews will occur at least every four years, and the adequacy decision could be adapted or withdrawn if protections change.
Importantly, the US safeguards apply to all data transfers from the EU to US companies, regardless of the transfer mechanism used. This facilitates the continued use of standard contractual clauses and binding corporate rules for data transfers.