New EU decisions simplifies transfer of personal data to the US

On July 10th, the EU Commission adopted a new adequacy decision for transfers of personal data between EU and U.S. The newly adopted EU-U.S. Data Privacy Framework takes effect immediately and enables the free flow and transfer of personal data to the U.S. This does not mean that data flow from the EU is completely free to the U.S as U.S companies first need to participate in the EU-U.S Data Privacy Framework in order rely on the adequacy decision. By joining the Framework, companies need to commit to certain privacy obligations, such as erasing personal data when it is no longer necessary and protecting personal data if further transferred to other third countries. 

According to representatives of the EU Commission, the new EU – U.S Data Privacy Framework introduces additional measures to protect personal data, compared with its predecessor, “Privacy Shield”. For example, EU citizens will have a new redress mechanism by the Data Protection Review Court (“DPRC”). The DPRC will have the ability to adopt binding decisions, and act upon on data complaints. Furthermore, access to personal data for U.S authorities will be limited to what is strictly necessary.

U.S companies wanting to join the new EU – U.S Data Privacy Framework will apply to the U.S Department of Commerce, which will be responsible for administrating applications and monitoring that accepted companies uphold the requirements. 

The new adequacy decision have begun to raise questions on whether a “Schrems-III”-judgement is on the horizon. For example, the non-profit privacy organization Noyb, co-founded by Maximilian Schrems, has issued a press release where it is stated that a challenge is ready to be filed with the Court of Justice of the European Union. 

Do you need advice on transfer of personal data to the U.S and the new adequacy decision? Deloitte’s Legal and Risk Advisory team are experts within the field of data protection and information security and often help our clients to become, or remain, compliant with privacy laws and regulations.