The EU-U.S. Agreement to Transfer Personal Data Has Finally been Signed

On July 10th 2023 the European Commission announced the adoption of the adequacy decision on the new EU-U.S. Data Privacy Framework for the protection of the personal data transferred towards USA.

After the invalidation by the European Court of Justice of the previous decision of adequacy on Privacy Shield, now personal data should be able to flow safely towards US companies on the basis of this new adequacy decision.

Why was the new EU-US Agreement to transfer personal data necessary?

The transfer of the European citizens’ data towards the United States of America had already been object of two agreements. In both cases, the EU Commission judged positively the guarantees offered in such agreements, stating that the USA were guaranteeing a level of protection of personal data substantially equal to the one imposed by the European Union to its own Member States.

Nevertheless, the decisions of adequacy of the Commission were invalidated by the Court of Justice of the European Union which, contrary to the Commission, did not judge the guarantees offered by the American legislation suitable. Thus, with the 2015 ruling (case C-362/14, aka Schrems I) the first decision of adequacy was invalidated (the so-called 2000 Safe Harbor) and subsequently, with ruling of 2020 (case- c-311/18, the so-called Schrems II) also the decision of adequacy related to Privacy Shield, that is the deal approved in 2016 to fill the gap left by the invalidation of Safe Harbor, was invalidated.

The motivations given in the two rulings of the European Court of Justice were mostly similar. To summarize, the European Court of Justice highlighted how American intelligence agencies, pursuant to the surveillance laws in force overseas, could easily access European citizens’ data without any chance for the European citizens to appeal to a privacy protection authority to ask for protection of their rights in case of infringement.

The new EU-USA Privacy Framework introduces new binding guarantees to protect European citizens, such as the limitation to the access to data by the US intelligence services to what is considered “necessary and proportionate” – this new guarantee on data access will apply also to US companies importing data from the European Union – and the creation of a Data Protection Review Court (DPRC) to which European citizens who feel their right have been infringed can appeal.

As stated by the President of the Commission, Ursula von der Leyen:

 “The new EU-US Data Privacy Framework will ensure safe data flows for European people and bring legal certainty to companies on both sides of the Atlantic.”

Will the new EU-U.S. Data Privacy Framework withstand the Court of Justice?

Particular doubts have been expressed, mainly with regards to the new limit imposed to the intelligence activities of the US agencies, which will have to be “proportionate”. Since it was not possible to agree on the meaning of the word “proportionate”, the introduction of this new word may not represent a guarantee for European citizens.

Nevertheless, the wish is that the new Data Privacy Framework EU-USA will finally be the answer to the needs of stability and security of the European users and providers of the global market.

Ilaria Feriti