New EU Commission adequacy decision for the EU-US Data Privacy Framework

The drafting of a new adequacy decision was caused by the ECJ’s so-called Schrems II decision of July 16, 2020, in which the previous adequacy decision on the EU-US data protection shield (“Privacy Shield”) was declared invalid.

What new requirements does the EU-US Data Privacy Framework entail?

The EU-US Data Privacy Framework introduces new binding safeguards to meet the requirements of the ECJ ruling of July 16, 2020. Among other things, it limits access by US intelligence agencies to EU data to a necessary and proportionate level and establishes a Data Protection Review Court. Individuals in the EU will have access to this court.

If such court finds that the new safeguards have been breached in the course of data collection, it can order that such data be deleted. EU citizens will have several legal remedies if their data is not handled properly by US companies. These include free independent dispute resolution mechanisms and an arbitration board.

US entities can now obtain a certification under the EU-US Data Privacy Framework by undertaking to comply with detailed data privacy obligations in order to be recognized as a secure data recipient pursuant to Art. 44, 45 GDPR. 

Transfer of personal data to the US now legally secure?

For the time being, personal data can now be transferred to the US in a legally secure manner. Nevertheless, the ECJ will address the legality of the EU-US Data Privacy Framework in the near future.

Companies transferring personal data to the US (the application of common cloud software such as Microsoft 365 is already sufficient to be deemed as transfer) should check with the providers whether they are certified accordingly.