The adequacy decision for the privacy deal means that personal data can flow safely from the EU to US companies participating in the framework.
The European Commission has today (10 July) announced an adequacy decision for safe data transfers with the US.
This means that the commission has deemed the US to have an adequate level of protection for personal data transferred from the EU to US companies under the new EU-US Data Privacy Framework (DPF).
Under the deal, data can flow safely from the EU to US companies that are participating in the framework without having to put additional data protection safeguards in place.
The adequacy decision comes following commitments from the US in October of last year, in which US president Joe Biden signed an executive order detailing steps the US would take to add further safeguards around EU data in order to enable transatlantic data flow.
The DPF introduces binding protections to address all of the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate.
The framework will also see the establishment of a Data Protection Review Court (DPRC), to which EU individuals will have access.
A new Privacy Shield?
The deal intends to restore safe transatlantic data flow following the strike down of the prior EU-US Privacy Shield framework.
Privacy Shield was deemed invalid following a complaint from privacy advocate Max Schrems about how Facebook handled his data. Schrems’ complaint also saw Privacy Shield’s predecessor, Safe Harbour, dismantled in 2015.
European Commission president Ursula von der Leyen said the new framework will “ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic”.
“Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues,” she said.
US companies will be able to join the DPF by committing to comply with a detailed set of privacy obligations such as the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
However, Schrems remains unsatisfied with the latest framework, claiming that it is “largely a copy” of the Privacy Shield that came before it.
“We now had ‘harbours’, ‘umbrellas’, ‘shields’ and ‘frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the once from the past 23 years,” he said in a statement.
“Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”
NOYB, the digital rights group established by Schrems, is ready to file challenges to the new framework. “We currently expect this to be back at the Court of Justice by the beginning of next year,” added Schrems.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.