Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023
On 10 July 2023, the European Commission (‘the Commission’) adopted its Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (‘the Adequacy Decision’), which contains in its annex the EU-US Data Privacy Framework (‘DPF’).
By doing so, the Commission decided that the United States (‘the US’), for the purpose of Article 45 of Regulation (EU) 2016/679 (‘the GDPR’), ensures an adequate level of protection for personal data transferred from the EU to organizations in the US that are included in the ‘Data Privacy Framework List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Section I. of Annex I of the Adequacy Decision.
Prior to the adoption of this decision, the European Data Protection Board (‘the EDPB’) adopted its opinion on the draft Adequacy Decision, in compliance with Article 70(1)(s) GDPR.
This document aims at providing some clarity on the implications of the Adequacy Decision for data subjects in the EU and for entities transferring personal data from the EU to the US.
1. How can personal data be transferred to the US on the basis of the DPF?
The Adequacy Decision applies since 10 July 2023. This means that, as of this date, transfers from the EU to organizations in the US that are included in the ‘Data Privacy Framework List’ may be based on the Adequacy Decision, without the need to rely on Article 46 GDPR transfer tools.
This also means that transfers based on the Adequacy Decision do not have to be complemented by supplementary measures. The EDPB refers to the explanations provided on this matter by the Commission .
2. How can personal data be transferred to the US if the data importer is not included in the ‘Data Privacy Framework List’?
Transfers to entities in the US which are not included in the ‘Data Privacy Framework List’ cannot be based on the Adequacy Decision and will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g. through standard data protection clauses, binding corporate rules), in accordance with Article 46GDPR.
In this respect, the EDPB underlines that all the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transferred to the US, regardless of the transfer tool used. Therefore, when assessing the effectiveness of the Article 46GDPR transfer tool chosen, data exporters should take into account the assessment conducted by the Commission in the Adequacy Decision.
3. Can data subjects in the EU lodge complaints under the DPF?
Individuals whose data are transferred to the US based on the Adequacy Decision have several redress mechanisms at their disposal if they consider that the US organization concerned does not comply with the DPF. Individuals are encouraged to first raise any complaint they may have with the relevant US organization. In case of inquiries, EU organizations may, if necessary, seek the advice of their data protection authorities that are competent to oversee the related processing activities.
4. How can EU data subjects make use of the new redress mechanism in the area of national security?
Regardless of the transfer tool used to transfer their personal data to the US, data subjects in the EU can submit a complaint to their national data protection authority to make use of the new redress mechanism in the area of national security. The national data protection authority, in turn, will ensure that the complaint will be handed over to the EDPB, which will transmit the complaint to the US authorities that are competent to handle the complaint. Furthermore, the data protection authority will ensure that the data subject provides information regarding the complaint handling process, including those regarding the outcome of the lodged complaint. For a complaint to be admissible, individuals do not need to demonstrate that their data was in fact collected by US intelligence agencies.
5. Will the Adequacy Decision be reviewed?
The first review of the Adequacy Decision will take place one year after it enters into force, to verify whether all elements have been fully implemented and effective in practice. Following the first review and depending on its outcome, the Commission will decide, in consultation with the EDPB and the EU Member States, on the periodicity of subsequent reviews, which will in any event take place at least every four years. The EDPB and its members stand ready to actively take part in this evaluation.
For the European Data Protection Board
The Chair (Anu Talus)