EU-U.S. Data Privacy Framework The “Adequacy Decision”

Co-Author: Prajwala D Dinesh Shivang Mishra Kislay Mishra

The EU-US Data Privacy Framework is back! The European Commission on 10th of July 2023 announced that they have formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework (the “Adequacy Decision”).

This adequacy decision comes after long negotiations between the EU and the US authorities. One of the key breakthroughs in progressing this agreement was an executive order signed by US President Biden, which put limitations on US Intelligence access to data of EU citizens only to what is ‘necessary and proportionate.

These are the main details you need to be aware of:

1. The transatlantic data transfer framework was designed in 2016 to enable cross-border data transfers between the EU and the US jurisdiction. Following the Schrems I ruling by the CJEU, this framework sought to replace the Safe Harbour Agreement, which had been declared unconstitutional.

2. The CJEU invalidated the EU Commission's assessment of the EU-US Data Privacy Framework in 2020 under the Schrems II judgement. The court emphasised that US domestic laws lacked the safeguards required by the GDPR to protect the personal data of EU persons.

3. A new adequacy decision for the updated EU-US Data Privacy Framework was adopted by the European Commission on July 10, 2023. These ruling permits businesses to send data to the US while including extra safeguards to validate these transatlantic data transfers. The US Companies under this framework must comply by updating their privacy policies by October 10, 2023.

4. The US government has made significant moves under this framework to address data privacy and surveillance issues, including:

-?putting in place measures that restrict the access of American intelligence services to the personal information of EU nationals.

-?establishing a grievance redressal mechanism that takes the shape of a review court with the authority to compel the erasure of data belonging to EU individuals who have violated the framework's tenets of access.

-?evaluating the US's compliance with the framework after a year.

Strengthening Subject’s Data Rights: Monitoring and Grievance Redressal

The US authorities have succeeded in allaying the data privacy and surveillance concerns of their European Counterparts in this framework by providing the following:

·?Safeguards which will limit the access to personal data of EU citizens by American Intelligence Services.

· Grievance Redressal Mechanism in the form of a Review Court that is empowered to order the deletion of data of EU Citizens if it’s accessed in violation of the framework’s principles.

· Review of implementation of this Framework Compliance in the US after one year.

Way Ahead: Free flow of data and Simplified Compliance

This new data transfer system will not only make compliance easier but also encourage closer ties between the two jurisdictions. The latest privacy framework between EU & US is a stepping stone to the inclusive development in the privacy?environment!