On 10 July, the European Commission formally adopted the long-awaited new EU-U.S. Data Privacy Framework, which is expected to put an end to three years of legal limbo for organisations and businesses relying on transatlantic data transfers as part of their economic activities. With the new data transfer agreement, the EU grants the U.S. a so-called adequacy decision, issued within the legal framework of the General Data Protection Regulation (GDPR), which means that companies will again be allowed to freely transfer data across the Atlantic. More specifically, the Commission’s adequacy decision serves as an assessment that the U.S. government provides data protection measures to European citizens that is equivalent to the data protection citizens enjoy within the Union.
The new EU-U.S. Data Privacy Framework is based on a certification system, which means that organisations wanting to participate in the framework must commit to a set of privacy principles laid down in the agreement in order to get certified. Moreover, the agreement introduces a number of redress mechanisms, allowing European data subjects to lodge complaints if they consider themselves to be affected by an organisation’s non-compliance. In relation to this, the U.S. has also, as part of the framework, set up a Data Protection Review Court (DPRC), which shall allow European citizens “to bring claims against U.S. agencies if they believe their data was not gathered in a ‘necessary’ and ‘proportionate’ way for national security.”
The Framework Agreement effectively introduced improved mechanisms to protect personal data, and the EU trusts that the United States will adhere to a detailed new set of privacy obligations – such as the requirement to delete personal data when it is no longer necessary for the purposes for which it was collected .
This decision was made just a few months after the EC fined the Meta company $1.32 billion for a similar violation – the transfer of data to third parties that did not meet security requirements. It is important to note that this adequacy decision may still be challenged in the bloc’s highest court (the EU Court of Justice) by privacy campaigners in the coming months, as there is “no clarity” on fundamental privacy rights.