Brussels, 9 October 2024
The Commission has published a report today following the first review of the adequacy decision for the EU-US Data Privacy Framework (DPF) for personal data transferred from the European Union to organisations in the US.
Based on the information gathered during the review, the Commission concludes that the US authorities have put in place all the constitutive elements of the framework. This includes the implementation of safeguards to limit access to personal data by US intelligence authorities to what is necessary and proportionate to protect national security, and the establishment of an independent and impartial redress mechanism. The report also contains a number of recommendations to ensure that the Framework continues to function effectively, such as developing common guidance between US authorities and EU data protection authorities on key DPF requirements. The Commission will continue to monitor developments and will report periodically on its functioning.
The review is based on input from a wide range of actors including civil society organisations, trade associations, EU data protection authorities, US authorities involved in implementing the framework, as well as feedback from the general public via the ‘Have your Say’ portal. The report builds also on information gathered during the review meeting in July 2024 between Commissioner for Justice Didier Reynders, US Secretary of Commerce Gina Raimondo, and their experts. The EU delegation to the review meeting included representatives of the European Commission and the European Data Protection Board.
More information on EU-U.S. data transfers is available here.
Background on EU-US data transfers: How personal data transferred between the EU and US is protected.
- Commercial sector: adequacy decision on the EU-US Data Privacy Framework
- Law enforcement cooperation: EU-US Umbrella Agreement
Commercial sector: adequacy decision on the EU-US Data Privacy Framework
On 10 July the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.
The adequacy decision followed the adoption of Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ by US President Biden on 7 October and a Regulation issued by the US Attorney General. These instruments introduced new binding safeguards to address the points raised by Court of Justice of the European Union in its Schrems II decision of July 2020, ensuring that data can be accessed by U.S. intelligence agencies only to the extent necessary and proportionate and establishing an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanims used. These safeguards therefore also faciliate the use of other tools, such as standard contractual clauses and binding corporate rules.
Law enforcement cooperation: EU-US Umbrella Agreement
The EU-US Data Protection Umbrella Agreement concluded in December 2016 introduced high privacy safeguards for transatlantic law enforcement cooperation. It contains a comprehensive set of data protection rules that apply to all transatlantic exchanges between criminal law enforcement authorities. In this way, it also strengthens law enforcement cooperation by facilitating the exchange of information. It therefore meets the two-fold objective of working with our U.S. partners to combat serious crime and terrorism while advancing the level of protection of Europeans in line with their fundamental rights and the EU data protection rules.
EU-US Data Protection Umbrella Agreement – 20 May 2016 – English – Download
Related links
- Joint Press Statement from European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross || 10 August 2020
- Press release on the second Review of the EU-US Privacy Shield – 19 December 2018
- Press release on the first Review of the EU-US Privacy Shield – 18 October 2017
- EU-US Privacy Shield decision and annexes – 12 July 2016
- EU-US Privacy Shield: questions and answers – 12 July 2016
- Press release on the launch of the EU-US Privacy Shield – 12 July 2016
- Communication on Transatlantic Data Flows: Restoring Trust through Strong Safeguards – 29 February 2016
- Communication on the Transfer of Personal Data from the EU to the US following the Judgment by the Court of Justice in Case C-362/14 (Schrems) – 06 November 2015
- Press Release on the EU-US data protection “Umbrella Agreement” – 01 December 2016
- Questions and Answers on the EU-U.S. Data Protection “Umbrella Agreement” – 01 December 2016
- Report on the third annual review of the EU-US Privacy Shield – 23 October 2019
- Report on the second annual review of the EU-US Privacy Shield – 2018
- Staff Working Document – Third annual review 23 October 2019
- Staff Working Document – Second annual review 19 December 2018
- Report on the first annual review of the EU-US Privacy Shield (2017) 18 October 2017
Source – EU Commission