European Commission Adopts New Adequacy Decision for the EU-U.S. Data Privacy Framework: Compliant US Companies to Seamlessly Obtain EU Customer Data
The European Commission has determined that the United States provides a level of data protection comparable to that of the European Union. This adequacy decision allows for secure transfer of personal data from the EU to US companies participating in the new EU-U.S. Data Privacy Framework, without the need for additional data protection measures.
The EU-U.S. Data Privacy Framework addresses concerns raised by the European Court of Justice by implementing new binding safeguards. These include restricting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC) accessible to EU individuals. The framework brings significant enhancements compared to the previous Privacy Shield mechanism. For instance, if the DPRC determines that data was collected in violation of the new safeguards, it can order the deletion of such data. These safeguards, along with the obligations for US companies importing EU data, create a comprehensive data protection system.
US companies can certify their participation in the EU-U.S. Data Privacy Framework by pledging to adhere to a comprehensive set of privacy obligations. These may include privacy principles like purpose limitation, data minimization, and data retention, along with specific obligations pertaining to data security and sharing with third parties.
The administration of the Framework will be carried out by the US Department of Commerce, responsible for processing certification applications and ensuring ongoing the participating companies’ continued compliance with the certification requirements. The enforcement of obligations under the EU-U.S. Data Privacy Framework will be implemented by the US Federal Trade Commission (FTC).
Under Article 45(3) of the General Data Protection Regulation (GDPR), the Commission has the authority to determine, through an implementing act, that a non-EU country provides an ‘adequate level of protection’ for personal data. This means the level of protection is essentially equivalent to that within the EU. Adequacy decisions enable unrestricted flow of personal data from the EU (including Norway, Liechtenstein, and Iceland) to the third country, without additional barriers.”
After the EU-U.S. Privacy Shield’s invalidation by the Court of Justice of the EU, the European Commission and the US government entered discussions for a new framework addressing the issues raised by the Court.
In March 2022, President Biden and EU President von der Leyen announced a preliminary agreement on a new transatlantic data flows framework. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities,’ accompanied by regulations issued by US Attorney General Garland. These instruments incorporated the US commitments from the preliminary agreement into US law and complemented the obligations for US companies under the EU-U.S. Data Privacy Framework.
NEED HELP WITH PRIVACY LAW COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy obligations under federal laws and FCC/FTC rules or would like to certify its participation in the EU-U.S. Data Privacy Framework, please contact Linda McReynolds at email@example.com .