The European Commission is positive about resuming data transfers from the EU to the US in due course. The Commission is now beginning the process of resuming it because of a framework that will replace the previously dropped Privacy Shield.
The European Commission is started with the process of a adequacy decision adopt for the EU-US Data Privacy Framework. This framework should replace the Privacy Shield agreement rejected by the European court and should form a new basis for the exchange of data between the US and the EU. Due to the GDPR, an adequacy decision must follow before personal data can flow freely from the European Economic Area to a third country without further requirements and authorizations.
In the adequacy decision, the Commission concludes that the US offers guarantees for data protection and privacy that are ‘comparable’ to those of the EU. In short, according to the Commission, there will be sufficient protection in the US of personal data that companies send from the EU to US companies.
The Commission says that US companies can join the EU-US Data Privacy Framework if they commit to a number of detailed privacy obligations, such as requiring personal data to be deleted when it is no longer needed and ensuring ongoing data protection. data when it is shared with third parties. The Commission underlines that there are also means for EU citizens to act, such as free and independent dispute resolution mechanisms and an arbitration option.
Privacy Shield was rejected by the European court in 2020. That was because of US surveillance legislation. In the ruling, the Court indicated that the transfer of personal data to another country must be accompanied by a level of protection comparable to that of the GDPR. According to the Court of Justice, the protection was insufficient and the US surveillance programs were disproportionate because they went beyond what was necessary. In addition, it was concluded that EU citizens would have too few or no rights to enforce anything in a lawsuit against the US government.
Austrian privacy advocate Max Schrems was behind this lawsuit and an earlier one as well. He is not pleased with the new draft adequacy decision. According to him US rules still do not meet the proportionality requirement and there is still no adequate access to a court. He also states that there is still bulk surveillance. D66 MEP Sophie in ‘t Veld agrees with Schrems and states that an effective appeal is not possible. She points out that a Data Protection Review Court has been set up, but that this is not a real court and only an office of the US government.
The draft for the new adequacy decision is now being sent to the European Data Protection Board for its opinion. Ultimately, all Member States and the European Parliament must give their approval to the decision.