On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework.
This means that the US is now considered to provide an adequate level of protection, comparable to that in the EU, for personal data transferred from the EU to US companies participating in the EU-US Data Privacy Framework.
US companies can join the EU-US Data Privacy Framework by agreeing to comply with a detailed set of privacy obligations, such as deleting personal data when it is no longer necessary for the purposes for which it was collected and ensuring continuity of protection when personal data is transferred to third parties.
No additional transfer safeguards need to be put in place.
The Commission pointed out that the EU-US Data Privacy Framework addresses all the concerns raised by the case law of the Court of Justice of the European Union.
EU data subjects will have several means of redress if their personal data is mishandled by US companies participating in the EU-US Privacy Framework. They will have access to an independent and impartial redress mechanism for the processing of their personal data by US intelligence agencies, including a newly created Data Protection Review Court that will independently investigate and resolve complaints, including by issuing binding remedies.
The European Commission, together with representatives of European data protection authorities and competent US authorities, will regularly review the functioning of the EU-US data Privacy Framework. The first review will take place within one year of the entry into force of the adequacy decision.
The press release can be found here, where you will also find several documents, including the Adequacy decision on the EU-US Data Privacy Framework and the Questions and Answers published by the European Commission on 10 July 2023.
