Adequacy decision for the EU – US framework regarding data protection
By Mugurel Olariu, RPD protectie date
On July 10, the European Commission adopted its adequacy decision for the EU – US Data Privacy Framework*1. The adequacy decision concludes that the United States provides an adequate level of protection – compared to the EU – for personal data transferred from the EU to US companies participating in the EU – US Data Privacy Framework.
Also states*2 that: The adequacy decision follows the signing by the US of an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new mandatory safeguards to address the points raised by the Court of Justice of the European Union in its Schrems II decision of July 2020. In particular, the new obligations were intended to ensure access to data by US intelligence agencies only to the extent necessary and proportionate, and to establish an independent and impartial redress mechanism to deal with and resolve complaints from Europeans about the collection of information and their data for national security purposes. In the form of questions and answers, the following are presented:
1. What is a adequacy decision?
An adequacy decision is one of the tools provided by the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries which, in the Commission’s assessment, offer a comparable level of personal data protection to that of European union.
As a result of adequacy decisions, personal data can flow freely and securely from the European Economic Area (EEA), which includes the 27 EU member states as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any other obligation, conditions or authorizations. In other words, transfers to the third country can be handled in the same way as intra-EU data transmissions.
The EU-US Data Privacy Framework Adequacy Decision covers data transfers from any public or private entity in the EEA to US companies participating in the EU – US Data Privacy Framework.
2. What are the suitability assessment criteria?
Adequacy does not require the third country’s data protection system to be identical to the EU’s, but is based on the “essential equivalence” standard. This involves a comprehensive assessment of a country’s data protection framework, both the protections applicable to personal data and the oversight mechanisms and remedies available.
The European data protection authorities have drawn up a LIST of elements to be taken into account for this assessment, such as the existence of basic data protection principles, individual rights, independent supervision and effective remedies.
3. What is the EU-US Data Privacy Framework?
In its adequacy decision, the Commission carefully assessed the data privacy requirements arising from the EU – US framework, as well as the limitations and safeguards that apply when personal data transferred to the US would be accessed by US public authorities, in specifically for criminal law enforcement and national security purposes.
On this basis, the adequacy decision concludes that the United States provides an adequate level of protection for personal data transferred from the EU to companies participating in the EU – US Data Privacy Framework. With the adoption of the adequacy decision, European entities are able to transfer personal data to participating companies in the United States without having to implement additional data protection safeguards.
The framework gives EU individuals whose data would be transferred to participating US companies several new rights (for example, to obtain access to their data or to obtain the correction or deletion of incorrect or unlawfully manipulated data). In addition, they offer various avenues for redress if their data is mishandled, including before independent dispute resolution mechanisms and an arbitration panel.
US companies can certify their participation in the EU – US Data Privacy Framework by committing to a detailed set of privacy obligations. This could include, for example, privacy principles such as purpose limitation, data minimization and data retention, as well as specific data security and data sharing obligations with third parties.
The framework will be administered by the US Department of Commerce, which will process certification applications and monitor whether participating companies continue to meet certification requirements. Compliance by US companies with their obligations under the EU – US Data Privacy Framework will be enforced by the US Federal Trade Commission.
(to be continued in the next issue)
––––––––––––––––––––––––
1. https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf
2. https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
