European Commission adopts new adequacy decision for the EU-US Data Privacy Framework

The European Commission (EC) adopted its new adequacy decision for the EU-US Data Privacy Framework, concluding that the US ensures an adequate level of protection to that of the EU when transferring data from the EU to the US. According to the new EU-US Data Privacy Framework, personal data can be transferred from the EU to US companies safely without having to guarantee additional data protection safeguards.

EC claims that the new EU-US Data Privacy Framework introduces new binding safeguards addressing all the concerns raised by the Court of Justice of the EU (CJEU). This includes the limitation of access to the EU data by US intelligence agencies unless deemed necessary and proportionate while also establishing a Data Protection Review Court (DPRC) for the EU citizens.

The DPRC is granted the power to order the deletion of data when it finds that there has been a violation, to which the US companies will have to comply if willing to join the EU-US Data Protection Framework. Safeguards will also apply to standard contractual clauses (SCCs) and binding corporate rules when being used to facilitate transatlantic data flows.

The EU-US Data Privacy Framework will undergo regular reviews by the European Commission, European data protection authorities, and the competent US authorities. These reviews aim to ensure the framework is fully implemented in US law and functioning effectively. The first review will occur within a year of the framework being implemented.