In recent days, we had the opportunity to read how the European Commission has adopted a Decision on the adequacy of the data protection framework between the EU and the US.
This Decision allows the transfer of personal data from the EU to the US without additional conditions or approval, i.e. in the same way that data is transferred within the EU itself.
On the other hand, by signing this Decision, the United States has committed to ensuring an adequate level of protection, comparable to that of the EU.
This would mean that data transfers from any public or private entity in the EEA to US companies participating in the EU-US data protection framework are covered.
The EU-US data privacy framework introduces new binding safeguards to address all concerns raised by the Court of Justice of the European Union, including limiting U.S. intelligence services’ access to EU data to what is necessary and proportionate, and setting up a Data Protection Review Court to which EU individuals will have access.
The new framework introduces significant improvements compared to the Privacy Shield mechanism. The new assurances in government access to data will complement commitments that U.S. companies importing data from the EU will have to take.
U.S. companies will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations, such as a request to delete personal data when it is no longer needed for the purpose for which it was collected, and by ensuring continuity of protection when personal data is shared with third parties.
EU individuals will benefit from several legal remedies if US companies mishandle their data. This includes free independent dispute resolution mechanisms and an arbitration panel.
The U.S. legal framework provides for several guarantees regarding access to U.S. public authorities to data transferred by U.S. public bodies within the framework, in particular for law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
EU individuals will have access to an independent and impartial redress mechanism regarding the collection and use of their data by U.S. intelligence agencies, which includes the newly established Data Protection Audit Court (DPAC). The court will independently investigate and resolve complaints, including by adopting binding corrective measures.
The guarantee introduced by the U.S. will also generally facilitate transatlantic data flows as they also apply when transferring data to other tools, such as standard contractual clauses and binding corporate rules.
The functioning of the EU-US data privacy framework will be subject to periodic reviews conducted by the European Commission, together with representatives of European data protection authorities and US competent authorities.
The first review will be carried out within a year of the entry into force of the adequacy decision to verify that all relevant elements have been fully implemented within the US legal framework and are functioning effectively in practice.
*Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721
