PERSONAL DATA – Transfer of personal data EU/US: The European Commission adopts a new adequacy decision

On July 10, 2023, the European Commission adopted a new adequacy decision concerning the transfer of personal data between the European Union and the United States[1].

As a reminder, this new adequacy decision follows the invalidation in 2020[2] by the Court of Justice of the European Union (“CJEU“) of the previous 2016/1250 adequacy decision (“Privacy Shield“) due to concerns about surveillance by US intelligence services. The CJEU, after analyzing U.S. legislation on access to the data of Internet service providers and telecommunications companies by U.S. intelligence services (Section 702 FISA and Executive Order 12 333), concluded that the privacy infringements on individuals whose data is processed by U.S. companies and operators subject to this legislation were disproportionate to the requirements of the Charter of Fundamental Rights. In particular, the Court ruled that the collection of data by the intelligence services was not proportionate, and that available remedies, including judicial remedies, for individuals regarding the processing of their data were insufficient.

The European Commission has since considered that the changes made by the United States to their national legislation now ensure an adequate level of protection for personal data transferred from the European Union to US entities adhering to the EU-US Data Protection Framework (“DPF”).

In particular, the European Commission reports that the U.S. government has established a new two-tier recourse mechanism, with independent authorities, to handle and resolve complaints from individuals whose data have been transferred from the European Union to companies in the U.S. regarding the collection and use of their data by U.S. intelligence agencies.

This two-tier recourse mechanism is structured as follows:

i. Complaints are initially examined by the “Civil Liberties Protection Officer”, whoserole is to ensure that US intelligence agencies respect privacy and fundamental rights.

ii. Data subjects can then appeal the decision of the “Civil Liberties Protection Officer” to a new authority called the “Data Protection Review Court”. This impartial, independent authority is composed of members external to the US government.

Data subjects will also benefit from several legal remedies in the event of incorrect processing of their data by US companies. These include independent dispute resolution mechanisms and a special arbitration panel.

Following the adoption of this new adequacy decision, transfers of personal data from the European Union to US organization adhering to the DPF, which are publicly accessible on the DPF website[3] , can once again take place freely without the need for appropriate safeguards such as standard contractual clauses (“SCC”) supplemented by measures recommended by the European Data Protection Board (“EDPB”). [4]

The European Commission will conduct periodic reviews in collaboration with European data protection authorities and US authorities to ensure that the DPF is working properly. The first review will take place one year after the entry into force of the adequacy decision.

It is worth noting the initial opposition from French Member of Parliament Philippe Latombe who, as a citizen, filed a complaint with the ECJ against the DPF on September 7, 2023. According to the MP, the DPF does not comply with the General Data Protection Regulation (“GDPR”) and the Charter of Fundamental Rights of the European Union. He also points out that it has only been published in English, which would contravene EU rules that require regulations and other texts of general application to be drafted in the official languages[5] . The complaint has since been dismissed on October 12, 2023[6] .

---

[1]https://ec.europa.eu/commission/presscorner/detail/fr/ip_23_3721

[2] ECJ, 16 July 2020, C-311/18, Schrems II: https://curia.europa.eu/juris/document/document.jsf;jsessionid=99B212F04D03066ED3C98B5A71ECF050?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=589712

[3] DPF website: https://www.dataprivacyframework.gov/s/participant-search

[4] Recommendations n°01/2020: https://edpb.europa.eu/system/files/2022-04/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_fr.pdf

[5] https://www.usine-digitale.fr/article/le-depute-philippe-latombe-depose-un-recours-contre-le-data-privacy-framework-qui-lie-l-ue-et-les-etats-unis.N2168837

[6] https://curia.europa.eu/juris/document/document.jsf?text=&docid=278542&pageIndex=0&doclang=FR&mode=lst&dir=&occ=first&part=1&cid=225583