RGPD

Transfer of personal data to the United States possible again

The United States offers an adequate level of protection for personal data transferred from EU companies to the United States. It is in this sense that, on 11 July, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework.

Contents
Schedule a discussion

Reading time:

3 min

The United States offers an adequate level of protection for personal data transferred from EU companies to the United States. It is in this sense that, on 11 July, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework.

The decision follows the signing by the United States of a presidential executive order to strengthen protections for American intelligence activities, in response to the concerns raised by the Court of Justice of the EU in its "Schrems II" judgment.

In particular, measures have been put in place to limit the access of American intelligence agencies to data that is necessary and proportionate, and to establish an independent mechanism to resolve the complaints of Europeans regarding the collection of their data for national security purposes.

If you would like to learn more, do not hesitate to contact me to discuss with a GDPR lawyer.

  1. What is an adequacy decision?

An adequacy decision, provided for by the General Data Protection Regulation (GDPR), allows the transfer of personal data from the EU to third countries that offer a level of protection comparable to that of the EU. Following such decisions, data can flow freely and securely from the European Economic Area (EEA) to a third country, without additional conditions or authorisations.

  1. What are the criteria for assessing adequacy?

Adequacy does not require the data protection system of the third country to be identical to that of the EU, but is based on the principle of "essential equivalence".

This involves an overall assessment of the country's data protection framework, including the available oversight and redress mechanisms.

  1. What is the EU-US Data Privacy Framework?

In its adequacy decision, the Commission carefully assessed the requirements of the EU-US Framework, as well as the limitations and safeguards applicable when data transferred to the United States is accessed by American public authorities, in particular for the enforcement of criminal law and national security.

  1. What are the limitations and safeguards concerning access to data by American intelligence agencies?

A key element of the adequacy decision concerns the presidential executive order that introduces safeguards to limit access to data by American intelligence authorities to what is necessary and proportionate to protect national security, and to establish an independent and impartial redress mechanism.

  1. What is the new redress mechanism in the area of national security and how can individuals use it?

The American government has put in place a new two-tier redress mechanism, with an independent and binding authority, to handle and resolve complaints concerning the collection and use of their data by American intelligence agencies.

  1. When will the decision enter into force?

The adequacy decision entered into force upon its adoption on 11 July.

It will be reviewed regularly, with a first review one year after its entry into force.

  1. What is the impact of the decision on the possibility of using other tools for data transfers to the United States?

All the safeguards put in place by the American government in the area of national security apply to all data transfers under the GDPR to companies in the United States, regardless of the transfer mechanism used.

* * *

In conclusion, the EU-US adequacy decision on the protection of personal data strengthens the security and rights of individuals.

However, its implementation and understanding require specific expertise.

If you process personal data between the EU and the United States, it is crucial to be properly advised.

Do not wait any longer and contact a GDPR lawyer today to guarantee optimal compliance and secure your data transfers.

To learn more

Is the transfer of data to the United States authorised again?

Yes. On 11 July, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework, considering that the United States offers an adequate level of protection for data transferred from the EU. Transfers to certified American companies are facilitated once again.

What is an adequacy decision?

Provided for by the GDPR, it is a decision of the European Commission recognising that a third country offers a level of data protection comparable to that of the EU. It then allows data to flow freely to that country without any additional condition or authorisation.

On what criteria is adequacy based?

Adequacy does not require a system identical to that of the EU, but an essential equivalence. The Commission assesses the country's protection framework as a whole, including its oversight and redress mechanisms, to verify that the rights of individuals are effectively protected there.

What connection does it have with the Schrems II judgment?

The decision follows the concerns of the Court of Justice of the EU in the Schrems II judgment. The United States signed an executive order strengthening protections relating to intelligence activities, in response to these criticisms, which enabled the adoption of the new adequacy decision.

What safeguards have been put in place on the American side?

Measures limit the access of American intelligence agencies to data to what is necessary and proportionate, and an independent mechanism has been created to handle the complaints of Europeans concerning the collection of their data for national security purposes.

Can my company freely transfer data to the United States?

The transfer is facilitated to American companies adhering to the framework, but their certification must be verified and transfers must continue to be documented. GDPR compliance remains required for the other aspects of processing. A point of vigilance remains regarding the qualification of the recipients.

Can this decision be called into question?

The previous adequacy decisions concerning the United States have already been invalidated by the European courts. It is therefore prudent to follow legal developments and to retain alternative transfer mechanisms, in order not to depend exclusively on this decision.

How can data transfers outside the EU be secured?

By identifying the transfers, verifying the existence of an adequacy decision or by relying on other safeguards (standard contractual clauses, binding corporate rules), and by documenting everything. GDPR support makes it possible to secure these flows and anticipate developments in the legal framework.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

10 min

Digital marketing and e-commerce: the legal pitfalls to avoid in 2025
The world of digital marketing is evolving at a breakneck pace, offering e-commerce players unprecedented opportunities.

4 min

Context and challenges of generative AI in intellectual property matters
How should intellectual property, traditionally intended to protect works, be approached in relation to generative AI?

7 min

GDPR and SaaS solutions: legal best practices for publishers
In the age of digital transformation, SaaS (Software as a Service) solutions have established themselves as the standard for distributing professional software. This shift comes with increased responsibility for publishers when it comes to data protection. The General Data Protection

14 min

Exclusive or selective distribution agreement: how to choose the model suited to your business?
Choosing the right distribution model is a major strategic decision for any supplier, manufacturer or network head wishing to develop the marketing of its products. Between exclusive distribution and selective distribution , the legal, competition and commercial stakes are

11 min

Domain Name Impersonation: Effective Legal Actions to Recover It
The impersonation of a domain name constitutes one of the most serious threats to a company's digital identity . This phenomenon, which is steadily increasing, can take various forms: cybersquatting , typosquatting , fraudulent diversion , or simple malicious anticipation .

2 min

Legal Obligations of Digital Platforms
A digital platform is an entity that uses technology to facilitate exchanges of goods, services or social content between various groups. This encompasses a range of structures, from small marketplaces to e-commerce giants such as Amazon and Airbnb. If you have any
Prendre rendez-vous
Book an appointment