On 10th July 2023, the European Union announced the possibility to carry out the transfer of personal data to the United States, following the changes in the legal framework of the USA and its adaptation to the guarantees of protection imposed by the EU.
The main change which this decision has allowed is the executive order signed by the US President in October 2022 with the purpose of fulfilling the pledges made to the EU with regard to data protection. This order limits the intelligence agencies in relation to the access to and processing of personal data, and creates a mechanism for resolving applications for improper data processing, thus bringing these aspects into line with the guarantees existing in the EU.
So that personal data transmission may take place from a member country of the EU to a non-EU country, the third country must have a level of protection that is essentially equivalent to that existing in the EU, albeit not necessarily identical, as clarified by the Court of Justice in case C-362/14, Maximillian Schrems v Data Protection Commissioner.
For this, a series of principles are introduced within the EU-USA Privacy Framework, which must be acquired by the USA for the purpose of granting said level of protection. These principles determine the certified entities, define the basic concepts of personal data, and limit the processing of personal data to certain objects, as well as introducing obligations such as the deletion of data when they are no longer required for the purpose for which they were gathered.
The entities which undertake to comply with the principles included in the framework may be the sole recipients of personal data from the EU, under the conditions introduced by the Privacy Framework. This commitment is evident in the “Data Framework List“, a public list containing those entities that voluntarily decide to commit to compliance with the principles, which will be constantly updated with the introduction of new entities and the elimination of those that decide to withdraw or who do not comply with the principles.
The access, by the US intelligence agencies, to data of citizens residing in the EU is limited to the fulfilment of principles of necessity and proportionality. For complaints in this area, a mechanism for appeal is made available to EU citizens which may be filed through the national data protection authorities who, through the European Data Protection Board, will forward the complaint to the US to be processed and rule on as to whether the principles of necessity and proportionality were complied with.
Furthermore, a “Data Protection Review Court (DPRC)” is enabled, which is composed of members who are unrelated to the government, who may not receive instructions or be removed without just cause, and who hold the capacity to investigate complaints and to make binding decisions, as well as to order the elimination of data where necessary. This court shall be called upon in the event that the claimant does not agree with the US response to the complaint.
In the event that this agreement survives the possible challenges before the European Court of Justice, it will put an end to the long legal struggle to reach an agreement on the long-awaited border transfer of personal data, thus embarking upon a new stage in trade between the EU and the US.
Oscar Vilá
Vilá Abogados
For more information, please contact:
8th September 2023