On July 10, 2023, the European Commission adopted its long-awaited adequacy decision for the EU-U.S. Data Privacy Framework (hereinafter: DPF). The decision concludes that the United States of America ensures an adequate level of protection for personal data transferred from the EU to U.S. organizations participating in the DPF, therefore personal data can be transferred from EU countries (and from Iceland, Liechtenstein and Norway) to U.S. entities participating in the DPF without having to put in place any additional data protection safeguards.
The adequacy decision was adopted based on the Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ issued by President Joe Biden on October 7, 2022, requiring U.S. intelligence officials to add more privacy safeguards regarding the collection of digital information, including especially, but not limited to ensuring that such data collection is at all times proportionate to the given national security risks. This was required based on the July 2020 Schrems II decision of the Court of Justice of the European Union. An independent and objective remedy mechanism was also established to process and resolve complaints from European data subjects concerning the processing of their personal data for American national security purposes.
Based on the above, the Commission has evaluated the requirements that follow from the DPF, and the restrictions and protective measures that apply when personal data transferred to the U.S. would be accessed by U.S. authorities for criminal law enforcement and national security purposes, and concluded that the U.S. ensures an adequate level of protection for personal data transferred from the EU to companies participating in the DPF.
Like the EU-U.S. Privacy Shield Framework, U.S. organizations can certify their participation in the DPF by committing to comply with a comprehensive set of privacy obligations, including, for example the application of privacy principles such as purpose limitation and data minimization, as well as specific data security requirements.
The DPF will be administered by the U.S. Department of Commerce, which will process applications for certification and evaluate whether participating entities meet the applicable certification requirements. Compliance with obligations under the DPF will be enforced by the U.S. Federal Trade Commission.
To accommodate the adequacy decision, the U.S. Government established a new two-layer redress mechanism to handle and resolve complaints in relation to data processing carried out by U.S. intelligence agencies regarding personal data transferred from the EU to organizations operating in the U.S. Data subjects can submit a complaint to their national data protection authority, that is to the National Authority for Data Protection and Freedom of Information in Hungary, which will ensure that the complaint is properly transmitted and any further information relating to the procedure is provided to the individual complainant. This procedure also ensures that individuals can turn to an authority in their vicinity and in their own language. Complaints will be transmitted to the U.S. through the European Data Protection Board.
As for the process within the U.S., complaints will first be investigated by the ‘Civil Liberties Protection Officer' of the U.S. intelligence community. In case data subjects are not satisfied with the outcome, they will be able to appeal to the newly created Data Protection Review Court (hereinafter: DPRC). The DPRC has powers to investigate complaints from European individuals, including accessing data from intelligence agencies, and reach binding remedial decisions.
Based on the statement of the U.S. Secretary of Commerce Gina Raimondo, the U.S. Department of Commerce will launch a new website for the DPF and will provide guidance to participants in the EU-U.S. Privacy Shield Framework to facilitate their transition to the DPF.