On Monday, 10 July, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF), confirming that the United States provides an adequate level of protection for personal data transferred from the EU to participating US companies. The announcement means that personal data can flow safely from the EU to DPF-registered US companies without the need for additional data protection safeguards. The Commission also published a factsheet and a Q&A document explaining the DPF's key provisions.
The DPF introduces new binding safeguards to address concerns raised by the Schrems II ruling by the Court of Justice of the European Union (CJEU), which struck down the EU-US Privacy Shield framework. Under the terms of the new agreement, access to EU data by US intelligence services is limited to what is necessary and proportionate, while a Data Protection Review Court has been established to provide redress to EU citizens. The new safeguards complement the obligations that US companies importing data from the EU will have to subscribe to.
Today's announcement follows a formal vote last Friday in which a majority of 24 EU member states voted in favour of the framework, indicating their confidence in its ability to protect personal data. The remaining three member states abstained from voting.
President of the European Commission, Ursula von der Leyen, said, "The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues."
In a separate statement, US President Joe Biden said, "I welcome the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework—which will allow personal data to be transferred from Europe to U.S. companies safely and securely. Today’s announcement represents the culmination of years of close cooperation between the United States and the European Union, and affirms the strength of our transatlantic relationship founded on our shared democratic values and vision for the world. The decision reflects our joint commitment to strong data privacy protections and will create greater economic opportunities for our countries and companies on both sides of the Atlantic."
The news has been widely reported on both sides of the Atlantic: Reuters, Politico, EURACTIV, Financial Times (£), The New York Times (£), The Wall Street Times (£) and Bloomberg (£). Meanwhile, this IAPP article provides additional commentary and some early reactions.
Following the announcement, the Interactive Advertising Bureau (IAB) praised the DPF agreement saying that it would protect an estimated $7.1 trillion of commerce between the two trading blocs. However, not all reactions to the announcement have been positive. Austrian privacy group NOYB released a statement indicating that the "third attempt of the European Commission to get a stable agreement on EU-US data transfers will be likely back at the Court of Justice (CJEU) in a matter of months."
Max Schrems, honorary chair of NOYB, said, "They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission's problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702."
UPDATE: 110723 - NOYB issued a separate statement calling for rectification and an apology from European Commissioner for Justice Didier Reynders over allegations he made that non-profits bring cases before the CJEU as a "business model". NOYB has responded, calling his comments an "unacceptable attack on the important work of civil rights organisations." The statement also clarifies that in his capacity as NOYB chairman, Max Schrems works on a pro bono basis.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,350 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.