The new EU-US Data Privacy Framework is a European Commission’s unilaterally Act (not an international agreement) which recognizes the adequate level of protection of the personal data transferred from the EU to the US companies signatories of the new EU-US Data Privacy Framework principles.
Negotiations intensified following the tentative agreement on a new framework for transatlantic data flows, jointly announced by the President of the European Commission, Von der Leyen, and the President of the U.S., Biden, in March 2022 in Brussels. A data flow model that ensures privacy protection and fosters innovation in the economic sphere is crucial to harness the benefits of the digital ecosystem and mitigate potential risks. Promoting responsible and reliable data governance is vital for the progress of the digital economy.
The new EU-US Data Privacy Framework is the third try after its predecessors, the 2000 Safe Harbour and the 2016 Privacy Shield, were considered invalid by the European Court of Justice. This time, European Commission has stressed that the new Framework is very different from the previous Privacy Shield especially on both key aspects:
New binding safeguards
US President Biden Executive Order of October 2022 established new rules regarding the conditions under which US Intelligence Agencies would be able to access personal data transferred from the EU to US, based on the principles of necessity and proportionality.
These principles, that have been repeatedly raised by the jurisprudence of the European Court of Justice when assessing EU laws, are now binding for US Intelligence Agencies, which have adapted their internal rules of procedure on 3rd July 2023 to implement the Biden Executive Order and “its” necessity and proportionality principles.
New redress mechanism
Instead of the former figure of the Ombudsman established by the Privacy Shield, a 2-layer mechanism has been established with the possibility for an individual (whose data has been transferred from EU to US) to lodge a complaint before the new Data Protection Review Court.
The new Court has investigative powers as well as powers to propose remedies. Although this new Court could be considered an administrative Court within the Executive, its composition by 6 Judges nominated by US General Attorney ensures a sufficient level of independence. European Commission is well aware that this is the maximum what US was ready to accept in terms of an independent Court.
US Department of Commerce & US Federal Trade Commission
The same as with its predecessors Safe Harbour and Privacy Shield, the new EU-US Data Privacy Framework only legitimizes the transfer of personal data from the EU to US companies that self-certify as compliant with the principles set by the EU-US Data Privacy Framework.
US Department of Commerce will process applications for self-certification and monitor whether signatory companies continue to comply with EU-US Data Privacy Framework principles, thus continue to meet the certification requirements as an “adequate company”. The website for self-certifying will be launched on 17th July 2023.
Furthermore, US Federal Trade Commission is the enforcement Authority in case US signatory companies stop complying with their obligations under the EU-US Data Privacy Framework.
Within 1 year after adoption of the EU-US Privacy Framework, European Commission will undertake a first review to monitor relevant developments in US and verify whether all relevant elements of the US legal framework are functioning effectively in practice. Subsequent periodic reviews will follow, at least every four years.
Other Adequacy Decisions
In the meantime, after the summer European Commission will issue a Report on the assessment of existing Adequacy Decisions: the Adequacy Decision for Argentina adopted in 2003, the Adequacy Decisions for Uruguay and for New Zealand adopted in 2012, the more recent Decisions for Japan of 2019 (the first Adequacy Decision under GDPR) or for Korea adopted in 2021 and some others.
Regarding UK Adequacy Decisions, adopted also in 2021, a sunset clause limits the duration of adequacy to four years. Currently, European Commission is monitoring the debate towards a new UK Data Protection Act to ensure that future rules do not compromise the status of adequacy.
Data Protection to ensure sustainable economic relationships
For the European Commission, the new EU-US Data Privacy Framework shows that EU and US are able to find balanced solutions on very complex issues, in a very good and constructive atmosphere, within the mandate of the European Court of Justice and the criteria established in the Schrems Ruling.
To mark the adoption of the Adequacy Decision, President von der Leyen and President Biden used similar words. While President von der Leyen stressed the importance of the new Adequacy Decision to ensure safe data flows for Europeans while at the same time bringing “legal certainty to companies on both sides of the Atlantic”, President Biden welcome the Adequacy Decision that reflects the joint commitment to strong data privacy protections and will create “greater economic opportunities for our countries and companies on both sides of the Atlantic”.
Indeed, the importance of data flows is reflected in the fact that there are more data flows between EU and US than anywhere else in the world, enabling the more than $7 trillion EU-US economic relationship. While these figures can probably not be compared with figures between EU and other regions, increasing data flows between EU and Asian, African and Latin American countries require more and more attention.
Therefore, European Commission should focus now on launching and accelerating the adoption process of Adequacy Decisions that will assess the new Data Protection Laws, adopted in third countries in the last years (like Brazil), and very much inspired by GDPR, and recognize them as providing an adequate level of protection.