The European Commission issued an adequacy decision on Monday regarding data transfers to the US. The decision means that the US has officially adopted an adequate data protection standard for the EU to participate in the EU-US Data Privacy Framework. The decision eases the way for multinational corporations operating in both the US and the EU.
The EU explained the impact of the decision, stating:
[T]he United States ensures an adequate level of protection for personal data transferred from the EU to companies participating in the EU-U.S. Data Privacy Framework. With the adoption of the adequacy decision, European entities are able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.
The US Department of Commerce will be responsible for implementing the newly designed framework. Specifically, they will oversee the process of certification of data applications and compliance monitoring.
The decision follows US President Joe Biden’s July 3 executive order, which established limitations on US intelligence agencies’ access to foreign-origin data. The executive order restricted the agencies’ access to only that data which is deemed necessary.
Previously, the transfer of sensitive data from the EU to the US required the utilization of standard contract clauses. Under that system, even for a single entity, EU-based companies were required to draft contractual agreements with US-based companies before any data could be transferred.
The EU’s previous attempt to establish a mechanism for the secure transfer of data, known as the Privacy Shield, was invalidated only years after its implementation by the EU Court of Justice (ECJ) in 2020. The primary reason behind the termination of the Privacy Shield was due to a conflict between US surveillance laws and the individual rights of EU citizens. Under US law, authorities are granted broad access to foreign individuals’ personal data, which directly contradicts provisions set forth in the EU’s General Data Protection Regulation (GDPR).
The adequacy decision took effect immediately upon its adoption Monday. That said, the European Commission intends to continue to monitor the efficacy of the new framework, which may be altered to include additional operational restrictions, as deemed necessary. The EU and the US are also currently weighing the establishment of an impartial mechanism to address complaints from Europeans concerning the collection of their personal data for national security purposes.