New legal framework for data transfer between the EU and the USA

On July 10, 2023, the European Commission adopted the Decision on the Adequacy of the framework for protection of data privacy between the European Union and the United States of America, in which it is emphasized that the United States of America provides an appropriate level of protection of personal data transferred between the European Union and organizations in the United States of America, which are listed in the EU-U.S. Data Privacy Framework. The list is managed and published by the US Department of Commerce.

The said Decision retains an executive character and was adopted in accordance with Article 45 of the General Data Protection Regulation (2016/679, GDPR), which stipulates that the transfer of personal data to a third country or an international organization may be carried out in the event that the Commission has determined that a third country, territory or one or more sectors within that country or an international organization provides an adequate level of protection.

Based on the adopted Decision on Adequacy, personal data can be safely transferred from the European Union to American organizations and companies participating in the Framework, without the need to fulfil the conditions related to additional personal data protection measures.

As follows, a new legal framework for the transatlantic transfer of personal data was established, bearing in mind that after the decision of the Court of Justice of the European Union in the case Scherms II, from July 2020, there was no legal framework for carrying out such a transfer. In the aforementioned case, the court adopted a logical position that the previous legal instrument, known as the Privacy Shield, does not provide an adequate level of data protection due to the widespread practice of monitoring data in the US, especially by the intelligence services, as well as the lack of compensation for citizens of the European Union in the event of a violation of their rights.

Following the annulment of the previous Adequacy Decision by the Court of Justice, the European Commission and the US Government entered into negotiations on a new framework that addresses the issues raised by the Court in its judgment. In the previous three years, numerous activities were undertaken at the institutional level, between the European Union and the United States of America, in order to establish proper mechanisms for the transfer of personal data, which finally resulted in the Adequacy Decision and the adoption of the new Framework for the Protection of Data Privacy.

This new Framework introduces new binding safeguards to address all the issues raised by the European Court of Justice in the case Scherms II, including limiting US intelligence access to EU data to what is necessary and proportionate, and establishing a Data Protection Review Court – DPRC, to which individuals from the European Union can address. In this regard, if the DPRC determines that the data were collected contrary to the prescribed protection measures, it has the authority to issue an order to delete the data in question.

Business entities from the USA will be included in the list of the Data Privacy Framework if they undertake to comply with the obligations related to the protection of data privacy, detailed in Annex 1 of the Commission’s Decision. Such obligations are, among other things, informing the data holder about all essential aspects of the processing of personal data, offering the data holder to choose whether he/she wants the data to be made available to a third party or to be used for a purpose that is fundamentally different from the purpose for which the data were originally collected, application of appropriate protection measures against loss, misuse, unauthorized access, modification or destruction of data, etc.

Under the Framework, individuals from the European Union will be able to protect their rights by turning to independent, alternative dispute resolution mechanisms and panels of arbitrators. In addition, the Decision established the possibility of access to an independent and impartial compensation mechanism related to the collection and use of personal data of individuals by US intelligence agencies, which includes the newly formed Data Protection Review Court (DPRC).

Another advantage that stands out is that the protective measures of the US Government in the field of national security are applied to every transfer of data to US companies, in accordance with the GDPR, so it will be easier to use other protection instruments prescribed by the GDPR, such as, for example, standard contractual clauses and binding corporate rules.

Therefore, the adoption of such a legal document which regulates the transfer of personal data from the European Union to the USA and vice versa, aims to strengthen the protection of the privacy of data holders in the processing and transfer of personal data and generally raise the level of legal security in this area. This Framework for data transfer will be especially important for multinational corporations and large technology companies, whose business is almost unthinkable without the transfer of a large amount of personal data between EU countries and the USA.

In the end, we can wait to see how the implementation of the Data Privacy Framework will turn out in practice and in which direction further development and cooperation between the European Union and the US in the field of privacy and personal data protection will go. In any case, the adoption of an act enabling data transfer represents a crucial step forward in compiled relations in this area and represents a positive example that should be followed in bilateral relations with other countries with which the European Union does not have an established (adequate) legal framework for data transfer.

Author: Igor Letica

E-mail: [email protected]

About the author