The European Commission has adopted yesterday its adequacy decision on the new Privacy Shield, the EU-US Data Privacy Framework (“DPF”), facilitating the flow of data between the European Union and the USA. This means that personal data can flow freely from the EU to US companies participating in the framework without requiring additional data protection safeguards.
This decision had been expected since July 2020, when the Privacy Shield was invalidated by the Court of Justice of the European Union. The European Union had initiated this process last December, judging that the US legal framework now offers sufficient data protection guarantees. The framework includes new binding safeguards, such as the creation of a Data Protection Review Court and the limitation of access to EU data by US intelligence services to what is “necessary and proportionate”.
Max Schrems, responsible for the proceedings that led to the invalidation of Safe Harbor and Privacy Shield, has already expressed his doubts about the safeguards provided, considering that the DPF is largely a copy of the Privacy Shield. His association NYOB confirms that a new procedure will be launched to challenge this adequacy decision. Max Schrems points out for example that the USA has not reformed the Foreign Intelligence Surveillance Act (FISA) 702 in order to grant non-Americans reasonable privacy protections.
We therefore strongly recommend to integrate this new adequacy with caution and to give preference to other data protection safeguards for data transfers to the USA.
From a Monaco perspective, this decision by the European Commission is not directly applicable to the Principality of Monaco and the USA are not considered a country with an adequate level of protection by the Monegasque Data Protection Authority (CCIN).
DL Corporate & Regulatory and Ambre Bernat, DPO certified by the French CNIL, are recognized as a data protection expert and will be pleased to advise and secure your data transfers and flows.