European Commission’s new attempt to ease EU-U.S. data transfers: Deeper look at the EU-U.S. Data Privacy Framework

The European Commission adopted its long-awaited adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023. Many have been waiting for the European Commission’s decision since 2020 because, in July 2020, the Court of Justice of the European Union (CJEU) delivered its notable Schrems II (C-311/18) judgement by which the CJEU invalidated a previous transatlantic data flow framework, the EU-U.S. Privacy Shield (Privacy Shield). Until the adequacy decision, data transfers from the EU to the U.S. have required using, inter alia, standard contractual clauses (SCC) or binding corporate rules depending on the case and preparing Transfer Impact Assessment (TIA). 

In the adequacy decision, the European Commission estimated that the U.S. ensures a level of protection for personal data transferred from the EU to U.S companies under the new framework that is essentially equivalent to the level of protection within the European Union. But what does this mean?

In general, personal data can be transferred outside the EU and EEA provided that the processing of personal data is permitted in the situation in question and the transfer of personal data is based on the transfer mechanism defined in Chapter V of the General Data Protection Regulation (2016/679, GDPR). The European Commission’s decision on an adequate level of data protection (GDPR Article 45) is the primary basis for transferring personal data in relation to other transfer bases defined in Chapter V of the GDPR. 

In this case, the priority of the adequacy decision means that based on the new adequacy decision, personal data can be transferred safely from the EU to U.S. companies participating in the framework without having to put in place additional data protection safeguards set out in Article 46 of the GDPR such as standard contractual clauses or binding corporate rules.

Significant changes

In the Schrems II judgement, the CJEU raised several points regarding the U.S. intelligence agencies’ access to EU data. The EU-U.S. Data Privacy Framework tackles them and includes significant improvements compared to the mechanism having existed under the Privacy Shield. 

The framework limits U.S. intelligence agencies’ access to EU data to what is necessary and proportionate as well as establishes a Data Protection Review Court (DPRC), an independent and impartial redress mechanism, the aim of which is to resolve and handle the EU individuals’ complaints regarding the collection of Europeans’ data for national security purposes. 

To join the EU-U.S. Data Privacy Framework, U.S. companies must self-certify through the framework and commit to a set of privacy principles contained in the European Commission’s adequacy decision. The U.S. companies must for instance limit personal data to what is relevant for the purpose of processing, delete it when it is no longer necessary for the purpose for which it was collected, and inform data subjects of the main features of the processing of their data. 

Points worth noting 
  • The adequacy decision for the EU-U.S. Data Privacy Framework does not apply to and cannot be used for data transfers between public sector organisations.
  • The safeguards put in place by the U.S. also apply when data is transferred from the EU to the U.S. by using other transfer mechanisms than the adequacy decision, such as standard contractual clauses (SCCs) and binding corporate rules.
Next steps

We recommend organisations review their existing Data Protection Impact Assessment documents (DPIAs) and Transfer Impact Assessment (TIA) concerning data transfers from the EU to the U.S. and update them to reflect the European Commission’s new adequacy decision for the EU-U.S. Data Privacy Framework. 

Our team is happy to provide more information and help you with any questions you may have concerning data flows from the EU to the U.S. 

Contact