The so-called adequacy decision means businesses can send personal data collected from customers in the EU to the US without fear of violating EU data protection law, as long as they comply with the basic principles of the new data privacy framework. This decision comes after extensive negotiations between the EU and the US following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union (CJEU) in 2020.
When it comes to processing web users’ data, Europe has stringent restrictions. The General Data Protection Regulation (GDPR) went into effect in 2018 and set strict guidelines for businesses to follow in order to handle user data securely and responsibly. This law is applicable to all of the EU’s member states. On the other hand, there is no one federal data protection law that protects the privacy of all types of data in the United States.
This adequacy decision ensures that the United States provides a level of data protection equivalent to that of the European Union. The decision allows self-certified companies that comply with the EU-US Data Privacy Framework and commit to privacy obligations to receive EU personal data without requiring additional transfer safeguards. The EU-US Data Privacy Framework addresses the concerns raised by the CJEU, including access to EU data by US intelligence services. It also provides enhanced redress mechanisms for European citizens if their personal data is mishandled, including through the newly established Data Protection Review Court (DPRC).
The European Commission will conduct regular reviews of the EU-US Data Privacy Framework in collaboration with European data protection authorities and competent US authorities.
During a press conference, European Commissioner for Justice Didier Reynders stated that the adoption of the adequacy decision enables the free and safe flow of personal data from the European Economic Area to the US without additional conditions or authorizations. When asked about potential challenges to the decision, the EU Justice Commissioner expressed the Commission’s confidence in implementing and defending the agreement in any procedures that may arise.
According to privacy activists, these measures are insufficient because EU citizens are not afforded the same level of protection under US privacy rules as Americans are. “Whether the framework is successful will be a matter of whether the European courts consider the protections for personal data in the US do enough to deliver essential equivalence to the EU protections,” Holger Lutz, partner at law firm Clifford Chance, told CNBC.
Additional information about the EU-US Data Privacy Framework and the self-certification process will be available on the US Department of Commerce’s website.