GDPR: personal data can again flow freely from EU to US
In July, the European Commission adopted a key decision establishing the EU-US Data Privacy Framework. Its main aim is to ensure that personal data flowing into the US are protected in a way that is comparable to that guaranteed by EU countries. The framework will make life easier for organisations that transfer personal data to US companies.
The EU-US Data Privacy Framework is the European Commission’s third attempt to set rules for transferring personal data from the EU to the US. Previous attempts, known as Privacy Shield and Safe Harbour were overturned by the Court of Justice of the European Union (CJEU) at the initiative of activist Maximilian Schrems and the organisation noyb (none of your business), primarily on the grounds of a lack of a personal data protection guarantee on the US part.
The new framework provides safeguards reflecting the concerns and ideas voiced by the CJEU, mainly as regards access by US intelligence services to the personal data of EU citizens. The US authorities’ access to EU personal data will now be limited to what is necessary and proportionate for the purpose of protecting national security. In the event of a breach of the rules of handling personal data, several independent and impartial redress mechanisms are now available to EU citizens, one of them being the possibility of recourse to the newly established Data Protection Review Court.
Following the example of Privacy Shield, this setup also allows for the free flow of personal data to US companies certified under the framework’s rules. To become certified, a company must demonstrate that it meets data protection requirements and commits to compliance with the framework’s principles. Therefore, before initiating the process of transferring personal data to the US, we recommend that you check whether the company to which you are to transfer the data is on the list of certified companies. The list can be found here.