menu close EventsNewsContact Us
English
EnglishPolish
search close
Global Site close
  • Americas
  • Asia Pacific
  • Europe
  • Middle East and Africa
ArgentinaArubaBahamasBarbadosBoliviaBrazilCanadaCayman IslandsChileColombiaCosta RicaCuracaoDominican RepublicEcuadorEl SalvadorGuatemalaHondurasMexicoPanamaParaguayPeruPuerto RicoSaint MartinSurinameUnited StatesUruguayVenezuela
AfghanistanAustraliaCambodiaChinaHawaiiHong KongIndiaIndonesiaJapanMacauMalaysiaMaldivesMongoliaMyanmarNepalNew ZealandPakistanPhilippinesSingaporeSouth KoreaSri LankaTaiwanThailandVietnam
AlbaniaAndorraArmeniaAustriaAzerbaijanBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFranceGeorgiaGermanyGreeceHungaryIrelandItalyKazakhstanLatviaLiechtensteinLithuaniaLuxembourgMaltaMoldovaNetherlandsNorwayPolandPortugalRomaniaSerbiaSlovakiaSloveniaSpainSwedenSwitzerlandTajikistanTurkeyUkraineUnited KingdomUzbekistan
AlgeriaAngolaBahrainCôte d’IvoireEgyptGhanaIraqJordanKenyaKuwaitLebanonLiberiaMaliMauritiusMoroccoMozambiqueNigeriaOmanQatarSaudi ArabiaSenegalSierra LeoneSouth AfricaTanzaniaTogoTunisiaUnited Arab EmiratesYemenZimbabwe
English
EnglishPolish
Services
close Services
Services
IndustriesInsights
About Us
close About Us
About Us
Careers
close Careers
Careers
EventsNewsContact Us
search close
GDPR, personal data protection, EC, Crowe

European Commission decides on the protection of personal data transferred from EU to USA

Violetta Matusiak, Data Security Inspector, Security Consulting
8/3/2023
GDPR, personal data protection, EC, Crowe
On 10 July 2023, the European Commission adopted a new decision acknowledging an adequate level of protection for personal data provided by the so-called 'EU-US Data Protection Framework'. It will facilitate the transfer of personal data between the EU and the US.

What is the "EU-US Data Privacy Framework"?

The EU-US Data Privacy Framework sets out the principles for the secure and trusted transfer of personal data from the European Economic Area to the United States of America. The Framework aims to ensure a level of protection comparable to European data transfers.

As currently drafted, the regulations enable the exchange of personal data that complies with both US privacy regulations, such as the Privacy Act and the Foreign Intelligence Reduction Act (FISA), and EU requirements, especially GDPR (General Data Protection Regulation).

Why was the EU-US Data Protection Framework created?

The creation of the Framework is related to the rulings of the Court of Justice of the European Union (CJEU) in the Schrems I and II cases as well as the inadequacy of the data protection provided by the so-called EU-US Privacy Shield. EU authorities considered that the previous counterparts of the Framework did not provide a sufficient level of privacy protection for personal data transferred from the EU to the US. In its current form, it incorporates almost all of the CJEU's suggestions, most notably those concerning:

  • limiting access to data by US security services and public authorities,
  • ensuring continuity of data protection when data are made available to other entities,
  • enabling data subjects to seek redress in the event of improper processing.

What are the principles of the EU-US Data Protection Framework?

The main assumptions of the EU-US Data Protection Framework include:

  1. Commitment of parties: organisations operating in the US which wish to receive and process personal data from the EU must accept and comply with the commitments of the Framework
  2. Monitoring and enforcement: the Framework provides the mechanisms for monitoring and enforcing compliance with data protection principles by the relevant regulators
  3. Individual rights: the Framework provides individuals (natural persons) whose data is processed with certain rights in relation to accessing, amending or deleting data, and the ability to complain if those rights are violated

Protect against access by US security services and public authorities to personal data transferred from the EU

The EU-US data protection framework also limits access to personal data transferred from the EU to the US security services and public authorities. Such access is limited only to situations in which it is necessary and proportionate to protect national security. Any access by the US services and public authorities to personal data from the EU must be justified and lawful.

One of the key elements of the protection against sharing data with security services and public authorities is also to increase transparency in informing individuals of such requests. The US organisations participating in the Framework are required to notify their customers or users when they receive a request from security services or public authorities to share data. Therefore, individuals have the opportunity to defend their rights and take appropriate actions to protect their privacy.

Participation in the EU-US Data Protection Framework

By participating in the Framework, US entities undertake to comply with obligations to protect personal data transferred from the EU. Members of the Framework are also required to apply safeguards to limit access by US security services and public authorities to data transferred from the EU. By participating in the programme, US entities can legally receive personal data from EU companies and process it in accordance with the EU privacy standards. It also allows them to avoid the risk of sanctions and restrictions on data flows that could result from the European Commission's failure to recognise an adequate level of privacy protection.

However, joining the Framework is not just a formality. Participating companies must comply with strict data protection rules and regulatory requirements set by the European Commission. By participating in the Framework, these entities commit to adhere to European standards and undergo regular reviews and audits to confirm compliance with privacy requirements.

US companies' participation in the Framework also demonstrates their commitment to protecting the privacy of their customers' and counterparties' personal information. It also provides confirmation that these entities respect European standards and regulations related to data privacy, which is a key element in building trust and maintaining positive business relationships with European partners.

What does the European Commission's decision of 10 July 2023 on the EU-US Data Protection Framework mean?

This decision confirms that the EU-US Data Protection Framework provides an adequate level of protection for personal data transferred from the EEA to the US. According to the EC, this level is comparable to European standards. Data transfers to the US organisations that have joined the Framework, can therefore take place without any additional restrictions. Thus, such companies do not need to obtain special authorisations or use binding corporate rules or standard contractual clauses to process personal data from the EU. It will, in turn, significantly improve the transatlantic transfer of such data. As announced, a list of those US entities participating in the Framework is expected to be published soon by the US Department of Commerce.

Important: for US companies that do not comply with the requirements under the EU-US Data Protection Framework, there is still a need to comply with one of the conditions set out in Articles 46-49 of the GDPR.

Contact us

Our team
Violetta Matusiak
Violetta Matusiak
Data Protection Inspector
Profile
Our team

Learn more

WSA upholds validity of penalty for failure to report data protection breach
The Voivodship Administrative Court in Warsaw confirmed the position of the PDPO on the issue of failing to report a personal data protection breach.
Act on KSeF adopted by the Sejm
E-invoicing will become mandatory for entrepreneurs from the middle of next year. Currently, the KSeF Act is awaiting the President's signature.
MDR reporting - obligation returns as from 1 August 2023
Reporting of domestic MDR tax schemes is again mandatory as from 1 August 2023. What does this mean for companies?
SLIM VAT 3 - Binding Rate Information free of charge
One of the most important solutions of the SLIM VAT 3 package is the unification of the rules for issuing binding information.

Personal Data Protection

Ask for an offer