The European Commission promotes a suitable legal framework for data privacy between the EU and the USA

On 10 July, the European Commission adopted a regulatory adequacy decision for safe and trusted EU-US data flows. This initiative comes three years after the Court of Justice of the European Union (CJEU) overturned the Privacy Shield, the previous adequacy decision.

As stipulated in the General Data Protection Regulation, the European Commission is responsible for determining the appropriate level of data protection provided by third countries. The main factors include aspects concerning human rights and fundamental freedoms, laws relating to public safety, defence, and national security.

The USA is considered to ensure an adequate level of protection, comparable to that of the EU, which allows the free flow of data between both territories. Data transfers can be made from the European Economic Area (EEA) to American organisations on the Data Privacy Framework List without needing to establish additional data protection guarantees.

This is an essential step in international data transfers. This new privacy framework establishes a set of criteria to guarantee legal restrictions on US intelligence services by the CJEU to limit access to EU data.

At the same time, several impartial appeal bodies are made available to European citizens, including a Data Protection Review Tribunal (DPRC), which will carry out the investigative work to resolve complaints. It also provides channels to impose binding remedial measures in the event that it is ruled that security measures were infringed in obtaining data.

This privacy framework will include reliable measures for European citizens and provide legal certainty to both European and US organisations. US organisations must comply with the following obligations:

– Delete personal data when they are no longer necessary for the purpose for which they were collected.

– Ensure continuity of protection when personal data are shared with third parties.

– Abide by the principles in the data protection regulations.

– Fulfil the necessary obligations to guarantee data security.

The adequacy decision is not addressed to the USA as a state but to US organisations that demonstrate compliance with the protection requirements. The safeguards provided by the USA will also benefit data flows more generally, since they apply when data transfers occur through other mechanisms, such as contractual clauses and binding corporate rules.

Lastly, the European Commission must monitor the progress made by the USA. The first review will take place one year after the adoption and entry into force of the decision, 10 July 2024, to check whether the American framework is working properly. From then on, the Commission will be able to decide how often the subsequent checks will be carried out.