Author: Boyana Boyadzhieva
On 10 July 2023, the European Commission adopted a new decision on the adequate level of protection of personal data in relation to the EU-U.S. Data Privacy Framework. The Decision allows for the safe transfer of personal data from the EU to companies in the US, participating in the Framework, without the need to put in place additional data protection safeguards.
The new legal Framework is the result of the US Executive Order signed by President Joe Biden in October 2022, which aimed to address all the concerns raised by the European Court of Justice in the Schrems II ruling in 2020. It was in the Schrems II ruling that the previous model of data protection, called the Privacy Shield, was declared unlawful under the rules of the European Union’s (EU) General Data Protection Regulation (GDPR).
Compared to the mechanism set out in the Privacy Shield, this new framework provides significant improvements. The EU-US Privacy Shield Framework introduces new mandatory safeguards, including:
1) Limiting access by U.S. intelligence services to only what is necessary and proportionate to protect national security;
2) Enhanced oversight of US intelligence activities to ensure compliance with restrictions on surveillance activities;
3) Establishment of an independent and impartial redress mechanism, including a new “Data Protection Review Court”, to which EU individuals will have access and which will investigate and resolve complaints about access by US national security authorities to their data.
The Data Protection Review Tribunal will be able to order the deletion of personal data if it finds that the data has been collected in a way that contravenes the new safeguards. US companies will be able to join the EU-US data protection Framework by committing to a detailed set of privacy obligations, such as requiring personal data to be deleted if it is no longer necessary for the purpose for which it was collected and ensuring a continuous level of protection when personal data is shared with third parties.
The European Commission will review the adequacy decision on a regular basis, starting one year after its entry into force. Among the aspects to be reviewed will be the appeal mechanism and cooperation between European and US authorities.