The European Commission has finally adopted the adequacy decision for the EU-US Data Privacy Framework after 3 years. The evaluation was carried out following the changes introduced by EO 14086. The binding assurances introduced by this law address all the concerns raised previously in the Schrems II judgment of the Court of Justice.
It has been deemed that the measures would ensure an adequate level of protection, comparable to that of the European Union. Therefore, personal data can flow securely from the EU to US companies participating in the framework without the need for additional safeguards for data protection.
On July 3, 2023, the US intelligence community adopted various policies and procedures concerning different US agencies such as the Central Intelligence Agency, the Federal Bureau of Investigation, the National Security Agency, and the Department of Homeland Security.
EU citizens will have recourse regarding the collection and use of their data by US intelligence agencies, as well as to the newly established Data Protection Review Committee (DPRC). The Tribunal will independently investigate and resolve complaints, even imposing binding corrective measures.
The safeguards implemented by the United States will facilitate transatlantic data flows, even when data is transferred using different tools such as standard contractual clauses and binding corporate rules.
The functioning of the EU-US Data Privacy Framework will be subject to periodic reviews, conducted by the European Commission together with representatives of European data protection authorities and relevant US authorities.
The first review will take place within one year of the adequacy decision coming into effect, to verify that all relevant elements have been fully incorporated into US law and are effectively operational in practice.
US organizations that import personal data from the EU and wish to use the Data Privacy Framework must self-certify their adherence to its principles (which were already established under the Privacy Shield and are now implemented), namely: notice; choice/opt-out; accountability; security; data integrity and purpose limitation; access by individuals; recourse for individuals; verification and enforcement mechanisms to ensure compliance with the Data Privacy Framework Principles.
The website for certification is provided by the US Department of Commerce and can be accessed at https://www.dataprivacyframework.gov/s/
EU-based data exporters can directly verify whether a US data importer benefits from the protections provided by the new framework through the list prepared on the Data Privacy Framework website.
Nicolò Ghibellini
Margherita Barletta