February 29, 2024

Data movement between the EU and the USA: the European Commission issues a new adequacy decision

The European Commission has issued its adequacy decision EU-US data protection framework Supposedly. It stipulates that the United States will ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the European Union to US companies under the new framework. After the Court of Justice of the European Union invalidated the previous adequacy decision on the EU-US Privacy Shield, the European Commission and the US Government took the necessary measures Conversations It provided a new framework to address the concerns raised by the Court.

Chairman of the Committee Ursula von der Leyen to explain: “The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for companies on both sides of the Atlantic. Following the initial agreement reached with President Biden last year, the United States made unprecedented commitments to create the new framework. Today we take a step Mission Forward in giving citizens confidence in the security of their data, and deepening our EU-US economic relationship while strengthening our shared values.The Framework demonstrates that by working together we can tackle the most complex issues.

New binding guarantees

The EU-US Data Protection Framework introduces new binding safeguards to address all concerns raised by the European Court of Justice; This provides for US intelligence services to limit access to EU data to the necessary and proportionate level and establishes a Data Protection Review Court (DPRC) to which EU individuals can access.

The new framework brings significant improvements to the existing Privacy Shield mechanism. For example, if a Data Protection Review Tribunal finds that data collection violates the new safeguards, it can order the data to be deleted. New safeguards regarding government access to data would complement obligations that US companies importing data from the EU must adhere to.

See also  Thomas Sabo brings the Saboteur concept to the UK

US companies can join the EU-US Data Protection Framework by committing to comply with detailed data protection obligations, including, for example, obligations to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continued protection when data is transferred. Personal information to third parties.

EU citizens will have several legal remedies if their data is not handled properly by US companies. These include free and independent dispute resolution mechanisms and an arbitration council.

Access to data by US authorities is restricted

In addition, the US legal framework provides for certain matters Guarantees regarding access by US authorities to data transferred within this framework, especially to access data for law enforcement and national security purposes. Access to data is to protect national security Necessary and proportionate action Limited.

Individuals in the European Union are subject to notice regarding the collection and use of their data by US intelligence agencies An independent and impartial appeals process This can be resorted to, which also includes referral to a newly established court for data protection review. This court independently investigates and resolves any complaints, including by ordering mandatory damages.

The guarantees provided by the United States will also facilitate trans-Atlantic data flows in general, as they also apply to data transfers using other tools such as standard contractual clauses and binding corporate rules.

Next steps

The performance of the EU-US data protection framework should be regularly reviewed jointly by the European Commission, representatives of the responsible European and US data protection authorities.

See also  Heat record in Great Britain! The hottest day ever | News

The first review should occur within one year of the adequacy decision taking effect to determine whether all relevant elements have been fully implemented in the US legal framework and are operating effectively in practice.

background

according to Article 45, paragraph 3 Under the General Data Protection Regulation (GDPR), the Commission can decide, through an implementing law, that a third country provides an “adequate level of protection”, i.e. a level of personal data protection that is essentially equivalent to that offered in the EU. Adequacy decisions mean that personal data can be transferred from the European Union (as well as Norway, Liechtenstein and Iceland) to a third country without the need for further protection measures.

After the Court of Justice of the European Union invalidated the previous adequacy decision on the EU-US Privacy Shield, the European Commission and the US Government took the necessary measures Conversations It provided a new framework to address the concerns raised by the Court.

In the March 2022 The president gave von der Leyen President Biden announced that they would follow up on negotiations between the Commissioner Reenders US Commerce Secretary Raimondo reached an agreement in principle on a new transatlantic framework for data movement. In the October 2022 President Biden signed a related executive order (“Executive Order on Strengthening Safeguards for U.S. Signals Intelligence Activities”), which was supplemented by orders from U.S. Attorney General Garland. These two instruments implemented the obligations undertaken by the United States under this agreement as a matter of principle in US law and complemented the obligations of US companies within the EU-US data protection framework.

See also  Notify relevant changes to important shareholders

The United States constitutes an essential element in the American legal framework on which these guarantees are baseddecree On Improving the Security Precautions for United States Intelligence Activities in the Field of Telecommunications and Electronic Reconnaissance (“Strengthening Safeguards for US Signals Intelligence Activities”), which incorporates points of criticism cited by the Court of Justice of the European Union in the “Schrems II” ruling of July 2020.

The framework is managed and monitored by the US Department of Commerce. The US Federal Trade Commission will enforce US companies' compliance.

additional information:

Full press release

Adequate decision on the EU-US data protection framework

questions and answers: EU-US data protection framework

Statement of facts On the Transatlantic Data Protection Framework

Data transfer between the European Union and the United States of America (europa.eu)

The international dimension of data protection (europa.eu)

Suitability decisions (europa.eu)

Joint Declaration on the Transatlantic Data Protection Framework (europa.eu)

Media contact: Catherine [dot] AbiliEuropean Commission [dot] Europe [dot] European Union (Catherine Appel)Tel: +49 (30) 2280-2140. More information on all press contacts here.

The team at the ERLENBIS EUROPA Visitor Center will respond to citizens' inquiries via email I askinEurope experience [dot] European Union (e-mail) Or by phone on (030) 2280 2900.