The transfer of personal data from the EU to the United States has always been a controversial issue. 
On July 12, 2016, the European Commission issued an adequacy decision on the EU-U.S. Privacy Shield Framework, which replaced the previously existing Safe Harbor program. 
On July 16, 2020, the European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). The court determined that the Privacy Shield transfer mechanism did not comply with the level of protection required under EU law, focusing on its inability to protect European Economic Area data subject's personal information from the U.S. Government's surveillance powers, as such powers were deriving from national surveillance laws.

After the invalidation of the above adequacy decision on the EU-US Privacy Shield by the Court of Justice of the EU, the European Commission and the US government entered into discussions on a new framework that addressed the issues raised by the Court, as provided in article 45(3) of the General Data Protection Regulation (GDPR), which grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures ‘an adequate level of protection' - a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of such adequacy decisions is that personal data can flow freely from the EU (and Norway, Liechtenstein and Iceland) to a third country without further obstacles.

Finally, on July 10, 2023, the European Commission adopted the new adequacy decision for the EU-U.S. Data Privacy Framework,  which introduces significant improvements compared to the mechanism that existed under the Privacy Shield. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. 

On the basis of the above new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties At the same time, EU individuals will benefit from several redress avenues in case their data is wrongly handled by US companies, such as independent dispute resolution mechanisms and an arbitration panel, which will be available free of charge.

Further, the EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), which forms part of an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies.

EU individuals will have access to the DPRC, which will independently investigate and resolve complaints, including by adopting binding remedial measures.
For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.

Athens, July 12, 2023
Avramopoulos & Partners

For further information please contact:
Barbara Angelopoulou
Partner
E-mail: b.angelopoulou@avralaw.gr
Tel.: +30 210 691 2200
Fax: +30 210 691 1211