On 10 July 2023, the European Commission adopted the adequacy decision on the EU-US Data Privacy Framework. Adequacy decision is a tool allowing the transfer of personal data from the EU to these third countries whose level of personal data protection is comparable to the EU.
Adopting the adequacy decision is a result of the United States government’s implementation of the Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities.”1 This Executive Order established a set of new safeguards coming from the Schrems II decision,2 for instance obliging US Intelligence agencies to comply with the necessity and proportionality principle in terms of data access. As of this writing, the US joins Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the UK, and Uruguay in providing adequate protection.
As of 10 July 2023, the European organizations can transfer personal data to US entities that participate in the EU-US Data Privacy Framework without any additional preventive measures. The data subjects whose data is transferred from the EU to the US are eligible to a new set of rights that were not available before, such as the right to access, correction or erasure of data. Moreover, the EU individuals can benefit from complementary dispute resolution mechanisms and arbitration panel. The Framework introduces new rules about data security and data sharing with third parties and implements purpose limitation, data minimization and data retention principles. Key points of the framework nclude:
The EU-US Data Privacy Framework applies to data transfers between EU and US companies certified by the US Department of Commerce. US companies will be able to “self-certify” and join the EU-US Framework by committing to comply with a detailed set of privacy obligations.
Every year, the decision will be reviewed by the European Commission according to the newest developments in the US law. The first review will be performed in July 2024 to verify whether all the safeguards are effectively implemented, according to the Framework. Based on the results of the first review, the European Commission will consult with EU Member States for future reviews that will happen at least every four years.
Deloitte’s specialists and dedicated services can help you clarify the opportunity and impact of the EU-US Data Privacy Framework. Our Regulatory Watch team closely follows developments to help you stay ahead of the regulatory curve.
1Executive Order 14086 – Policy and Procedures | Other release | Bureau of Intelligence and Research, July 3rd 2023, <https://www.state.gov/executive-order-14086-policy-and-procedures/> [accessed: 19.07.2023]
2CJEU C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, July 16th 2020, <https://curia.europa.eu/juris/document/document.jsf;jsessionid=FC6484B559D967F68D6BF745B87C5F5A?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=2663287> [accessed: 19.07.2023]