Updates on the transfer of personal data between the EU and the US

Share this publication

On July 10, 2023, the European Commission (“EC”) adopted a decision recognizing that the newly established EU-US Privacy Shield Framework (“the Framework”) sufficiently guarantees the security of data when it is transferred. In doing so, the EC has taken a decisive step towards easing the regime for the transfer of personal data between the EU and the US and has created the conditions for deepening the partnership and improving business relations.

What’s new?

First, in order for the Privacy Shield Framework to apply, U.S. companies must be on the “Privacy Shield Framework List” maintained and publicly available by the U.S. Department of Commerce. In order for companies to be included on this list, they must undertake a number of obligations aimed at protecting the personal data transferred from EU subjects. The obligations to be complied with by companies on the list address privacy – for example, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. The Framework also incorporates many principles from the General Data Protection Regulation (“GDPR”). These include purpose limitation, accuracy, transparency, etc. The protection provided under the Framework should roughly correspond to that provided by the GDPR.

Since an adequacy decision has been adopted, pursuant to Art. 45, para. 1 of the GDPR, the transfer of data of EU citizens to companies in the USA takes place on the basis of the adequacy decision so issued, without any additional instruments for the transfer of the data.

Therefore, by argument to the contrary, the transfer of data between the EU and the US, where the US company receiving the data is not listed in the “Data Privacy Framework List”, takes place as previously known – through standard contractual clauses, binding corporate rules, etc.

Among the security guarantees provided by the United States regarding the personal data of European subjects are:

A) limiting access by US intelligence services to what is necessary to protect their national security;

B) ensuring that data subjects have more rights and a real possibility to exercise them;

C) create a special body, the Data Protection Review Court.

In this way, data subjects will have access to an impartial and independent competent authority and to a real and effective redress mechanism against unlawful processing of personal data.

With the guarantees provided for in the Privacy Shield Framework, data subjects will be able to access, rectify, erase or object to the processing of their personal data. This possibility largely corresponds to the rights of data subjects provided for in the GDPR. It is important to note that data subjects will be able to exercise these rights not only to controllers located in the EU, but also directly to recipients in the US. The new Data Protection Review Court can be seised by a properly lodged complaint and has the power, where it finds that personal data has been collected in breach of the new guarantees, to order erasure or impose other corrective measures.


That decision of 10 July comes as a consequence of a 2020 decision of the Court of Justice of the European Union (“CJEU”), which found the Privacy Shield to be a means that did not provide adequate protection. As a result, the transfer of data between the EU and the US has become more complicated and recourse has had to be made to the other data transfer tools regulated in the GDPR. This has made it more difficult for citizens and businesses. Therefore, the US has made and kept a commitment to create the conditions for safe data transfer.

What’s next?

Pursuant to Article 45, para. 4 of the GDPR, the Commission shall keep under constant monitoring developments in third countries and international organisations that could affect the functioning of decisions on the adequate level of protection. Therefore, the Commission will have to continuously monitor the situation in the United States with regard to the legal framework and actual practice for the processing of personal data as assessed in the present Decision.

In addition to the above, the European Commission and the competent authorities in the US will also conduct periodic reviews of the Privacy Shield Framework to ensure its functioning. The first such review will take place one year after its adoption.

Previous Post
Draft law amending and supplementing the Social Security Code
Next Post
Company with variable capital – Part I
Read more
Skip to content