The new US-EU privacy framework has arrived. On 10 July, the European Commission adopted the adequacy decision on the US-EU privacy framework.
In this article we will discuss...
Does the new US-EU Privacy Framework comply with the adequate level of protection?
The European Commission has determined that the new Privacy agreement ensures an adequate level of personal data protection, comparable to the EU one.
Therefore, personal data will be safely and securely transferred from the European Union to the US companies participating in the Framework without the need for additional data protection safeguards.
New binding guarantees
These new safeguards on access to data by public authorities will complement the obligations that US companies importing data from the EU will have to assume. They are as follows:
- Limiting access by US intelligence services to EU data to what is necessary and proportionate.
- Establishment of a Data Protection Court of Appeal, to which EU citizens will have access.
- In the event of improper treatment of their data by US companies, European citizens will have several channels of redress, including free independent dispute resolution mechanisms and an Arbitral Tribunal.
What will US companies have to do from now on?
Companies in the United States will have the possibility to join the EU-US Privacy Framework, as long as they commit to comply with a number of detailed privacy obligations.
Examples of these are:
- Ensure continuity of protection in the event of sharing personal data with third parties.
- Delete personal data once they are no longer necessary for the purpose for which they were collected.
Therefore, despite the fact that the adequacy decision entered into force upon its adoption, it can only be used to legitimise an international transfer to the US if the receiving entity is certified under the EU-US Data Privacy Framework.
In addition, the receiving entity must be listed in the EU-US Data Privacy Framework. This will include any entity that maintains active certification under the EU-US Data Privacy Framework.
What is the EU-US Data Privacy Framework?
This is a self-certification mechanism, through which US companies commit to comply with principles for the processing of personal data received from the EU.
This will be done through the new US-EU Privacy Framework, using the adequacy decision adopted by the European Commission.
In order to be selected for certification under the new EU-US Privacy Framework, a recipient entity will have to be subject to the enforcement and investigatory powers of:
- Federal Trade Comission.
- U.S Department of Transportation.
This requirement may not apply to some banks, airlines, insurance companies, telecommunications companies and others.
Other international transfers to the US
Both the safeguards adopted and the legislative changes in the US will facilitate the use of safeguards such as standard contractual clauses or binding corporate rules.
This does not exclude that a Transfer Impact Assessment will still be required for all transfers outside the EU-US Data Privacy Framework.
The adequacy decision ensures that EU-US data transfers are possible through a stable and reliable agreement that protects individuals and provides legal certainty for businesses.
For its part, the US International Trade Administration has created a website on the data privacy framework. This contains information on self-certification, participating organisations and compliance, among other precepts.
Entry into force
The new agreement will be subject to periodic reviews carried out by the European Commission, together with representatives of the European and US competent authorities.
The first review will take place within one year of the entry into force of the adequacy decision.
In addition, the purpose of this review will be to verify that all the precepts implemented in the US legal framework have been complied with.
A Data Protection Review Tribunal will be established for this purpose. This one will order the deletion of data if it is determined that it was collected in violation of the new safeguards.
Likewise, the Privacy Framework will be withdrawn if the Court of Review finds that the safeguards adopted by the US are not sufficient to protect the rights and freedoms of European citizens.
European Justice Commissioner Didier Reynders said that European citizens will be able to file complaints free of charge with their local data protection authority. This will be without the need to prove that US intelligence agencies have accessed their data.
It is important to add that this is not the first data protection agreement between Europe and the US, as there have been others in the past.
Failure of previous EU-US agreements
The Safe Harbor agreement between the EU and the US, created in 2000, was intended to regulate the way in which US companies could transfer personal data of European citizens.
The European Court of Justice ruled that the agreement was invalid after analysing Maximilian Schrems’ complaint against Facebook, as the United States did not provide adequate protection for EU citizens’ personal data, the Privacy Shield began to be negotiated.
Following the implementation of this second agreement between the US and the EU, companies transferring data between the EU and the US were supposed to comply with the GDPR.
The last includes the standard contractual clauses (SSC) and binding corporate rules (BCR).
However, the European Court of Justice, following a second complaint by Schrems, again declared the Privacy Shield agreement invalid.
Following the invalidation of the Privacy Shield, many efforts have been made to achieve a proper data transfer agreement between the EU and the US.
Finally, the current US-EU Privacy Shield agreement, also known as “Schrems III” has arrived.
With the implementation of this new Privacy Framework, several people are claiming that, in a matter of months, it will bring about disparities that will lead the European Court of Justice to question its effectiveness.
Auratech will keep you informed about future updates on the adequacy decision and will provide a briefing note on the content of the decision.