The European Union and the United States have reached a new agreement on data transfers, which will allow businesses to transfer data from the EU to companies participating in the EU-US Data Privacy Framework.
The European Commission has recently announced a new adequacy decision for EU-US transfers, marking a significant development in the protection of personal data. This decision comes after a thorough assessment of the US legal framework and the implementation of additional safeguards, addressing concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II ruling. The decision aims to ensure that data transfers between the EU and the US are carried out in compliance with the EU’s General Data Protection Regulation (GDPR). This represents a significant milestone in data protection and cross-border data flows. It provides a tool for the transfer of personal data between the EU and the US, ensuring compliance with the GDPR.
New EU-US Data Privacy Framework provides legal certainty for businesses and individuals.
The new adequacy decision is a result of extensive negotiations between the European Commission and the US Government. It builds upon the existing EU-US Privacy Shield, which was invalidated by the CJEU due to concerns over US surveillance practices. The European Commission has now concluded that the US has made commitments to ensure an adequate level of data protection when personal data is transferred under this new framework, including the implementation of several important safeguards to protect personal data transferred from the EU. These safeguards include limitations on access to data by public authorities, effective remedies for individuals in case of data protection violations, and an official appointed to investigate individuals’ complaints regarding access to personal data by US authorities. Additionally, the US has provided assurances that any access to personal data for national security purposes will be subject to clear conditions, safeguards, and oversight. This decision is crucial for businesses and individuals who rely on transatlantic data flows, as it provides legal certainty and avoids disruptions in data transfers.
The new adequacy decision will be periodically reviewed to assess its effectiveness and to confirm that all relevant components have been fully implemented.
The new adequacy decision entered into force on 10th July and the European Commission emphasized that it is not a one-time assessment, but rather an ongoing commitment to monitor and ensure the protection of personal data. The decision includes a joint review mechanism that will regularly evaluate the functioning of the new framework and address any concerns that may arise. The first review will be conducted within a year of the entry into force of this new adequacy decision. Didier Reynders, the European Commissioner for Justice said “The adoption of this adequacy decision is the final step to ensure safe and free transfers of data across the Atlantic. It ensures the protection of individual rights in our intangible and interconnected digital world, where physical borders do not matter much anymore. Since the Schrems II decision came out years ago, I have worked tirelessly with my US counterparts to address the concerns identified by the Court of Justice, and ensure that technological advances do not come at the cost of Europeans’ trust. But as close like-minded-partners, the EU and the US could find solutions, based on their shared values, that are both lawful and workable in their respective systems.”
Does your company conduct third country transfers and want to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.