Transfer of personal data EU/USA ● Adequacy decision of 10 July 2023 of the European Commission (commercial sector)

Commission Implementing Decision of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, C(2023) 4745 final

On 10 July, the European Commission officially adopted a new adequacy decision on the EU-US Data Privacy Framework.

Personal data will move freely from the EU to companies in the United States that participate in this new Data Privacy Framework, the list of which will be managed and made public by the US Department of Commerce, regardless of the transfer mechanisms used (standard contractual clauses, binding corporate rules, etc.).

The adequacy decision follows the adoption by the US President on 7 October 2022 of Executive Order (E.O.)14086 "Enhancing Safeguards for United States Signals Intelligence Activities" which ensures that data can only be accessed by US intelligence agencies to the extent necessary and proportionate, establishes an independent body and an impartial redress mechanism to address and resolve complaints about the collection of data for national security purposes:

1. New requirements for the collection and processing of personal data by US intelligence agencies, regardless of the nationality of the data subject. Intelligence activities are required to be "necessary" and "proportionate" and to be undertaken for one of twelve enumerated national security and intelligence purposes.
2. Extension of oversight of intelligence programmes by US government agencies. The Civil Liberties Protection Officer (CLPO) appointed by the Director of National Intelligence (DNI) must conduct an assessment prior to any new intelligence gathering operation. Bulk collection may only be authorised where the information cannot reasonably be obtained by targeted collection. In addition, intelligence agencies must retain documentation relating to the collection of personal data and update their policies and procedures to ensure effective control of new safeguards.
3. Creation of a redress mechanism for individuals in "qualifying states" who claim that their personal data has been unlawfully collected as part of intelligence programmes. Individuals can lodge a complaint with the CLPO, which has the power to investigate complaints and issue binding decisions against intelligence agencies. Individuals may also appeal CLPO decisions to the Data Protection Review Court (DPRC), which has been established by regulations issued by the US Attorney General. The DPRC will be composed of at least six independent judges, appointed from outside the US government and specialising in national security issues. The judges will not be subject to the day-to-day supervision of the Attorney General and will not be subject to removal or adverse action by reason of their office. Individuals will be represented before the DPRC by special advocates and the DPRC's decisions will be final and binding.

This new framework responds to the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II judgment of 16 July 2020 (Case C-311/18), which invalidated the previous adequacy decision on the EU-US "Privacy Shield". The CJEU found that US law "does not provide for the necessary limitations and safeguards with regard to the interferences authorised by its national legislation and does not ensure effective judicial protection against such interferences" (point 168). Several surveillance programmes allowed US intelligence agencies to collect and process data on a massive scale from European residents without them having an effective right of appeal against such interference.

* * *

Transfer of personal data from Monaco to the United States

As a reminder, transfers of data to the United States, which is not on the list of countries with an adequate level of protection within the meaning of article 20 of Law no. 1.165 of 23 December 1993 consolidated, are subject to prior authorisation from the Commission de Contrôle des Informations Nominatives (CCIN).

List of countries with an adequate level of protection: Andorra, Argentina, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Guernsey, Hungary, Iceland, Ireland, Italy, Isle of Man, Faroe Islands, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, Uruguay.

* * *