EU-US personal data transfer: new adequacy decision by the European Commission

Written By Margherita Stucchi

On 10 July, the European Commission adopted the new Adequacy Decision on the EU-US framework of the regime for transferring personal data from the EU to US companies: 24 Member States voted anonymously in favour, with 3 Member States abstaining. The decision comes three years after the annulment of the previous agreement between the EU and the US, known as the Privacy Shield (for more on the subject see here ) and after serious doubts were also expressed in recent months by the European Parliament.

According to the EU Commission, this new framework provides sufficient guarantees for the protection of EU citizens' personal data processed on US territory - comparable to those in the EU. On the basis of this new adequacy decision, therefore, personal data can be transferred securely from the EU to US companies adhering to the framework, without the need for additional data protection safeguards.

The EU-US framework introduces new binding safeguards to address the concerns expressed by the EU Court of Justice in its 16 July 2020 decision C-311/18 (Schrems II), including limiting US intelligence services' access to EU citizens' data to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC), an independent and impartial body, accessible to EU citizens, to handle and resolve complaints about the collection of their data for national security purposes. The DPRC can even order the deletion of data if it considers that they have been collected in breach of the new safeguards.

This is undoubtedly an important decision, which facilitates the transfer of data between the EU and US companies. However, there are still many doubts as to the stability of this agreement. Noyb, the organisation founded by activist Max Schrems (known for the two judgments of the EU Court of Justice that had already invalidated the two previous agreements regulating the transfer of data to the US, Safe Harbor and Privacy Shield) has already announced its intention to appeal the framework as well, considering this third attempt to be "a copy of the failed Privacy Shield". We will just have to wait for future updates.

Stay tuned.

Margherita Stucchi
Previous

The proof of pre-disclosure in patents according to the Italian Supreme Court of Cassation
Next

The Italian Supreme Court rules out the Italian jurisdiction over the infringement of the German portion of an international design registration