EU adopts decision for secure data traffic between the EU and the USA

Today, the European Commission gave its approval to the adequacy decision for the data protection framework between the EU and the US. This decision declares that the U.S. provides a level of protection for personal data comparable to that of the EU, and that within this new framework, the EU will transfer to U.S. companies.

The new adequacy decision allows for the secure transfer of personal data from the EU to U.S. companies participating in the framework without the need for further data protection measures.

• U.S. intelligence agencies may access transferred data from the EU only if it appears necessary and proportionate for law enforcement or national security reasons.
• To review data protection by U.S. companies, a court is to be established to which EU citizens can turn in the event of suspected violations.
• The data protection agreement between the EU and the U.S. is to be regularly reviewed for compliance by the EU Commission and representatives of European data protection authorities.

The EU-US data protection framework brings new binding safeguards aimed at addressing concerns raised by the European Court of Justice. This includes limiting U.S. intelligence agencies’ access to EU data to a necessary and proportionate extent, and creating a Data Protection Review Court (DPRC) to which EU citizens have access.

Compared to the mechanism in place in the Privacy Shield, this new framework shows considerable progress. For example, the DPRC has the authority to require the deletion of data if it is determined that the new safeguards were violated during the data collection process. These new safeguards on government access to data will complement the obligations that U.S. companies taking data from the EU must comply with.