publication date: December 15, 2022
On 13 December 2022, the European Commission launched the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
The draft adequacy decision, which reflects the assessment by the Commission of the US legal framework and concludes that it provides comparable safeguards to those of the EU, has now been published and transmitted to the European Data Protection Board (EDPB) for its opinion. The draft decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.
In addition, the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, which addressed the issues raised by the Court of Justice of the EU in the Schrems II judgment:
– Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security;
– EU individuals will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court.
– The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
– European companies will be able to rely on these safeguards for trans-Atlantic data transfers, also when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules.
Next planned steps
The draft adequacy decision will now go through its adoption procedure. As a first step, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with European data protection authorities, and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.
Article 45(3) of the General Data Protection Regulation grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures ‘an adequate level of protection’, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow freely from the EU (and Norway, Liechtenstein and Iceland) to a third country without further obstacles. After the invalidation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the EU, the European Commission and the US government entered into discussions on a new framework that addressed the issues raised by the Court.
In March 2022, following intense negotiations between the lead negociators, Commissioner Reynders and Secretary Raimondo, President von der Leyen and President Biden announced an agreement in principle on a new transatlantic data transfer framework. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which was complemented by regulations adopted by the US Attorney General. Together, these two instruments implemented the US commitments into US law, as well as complemented the obligations for US companies. On this basis, the Commission is now proposing a draft adequacy decision on the EU-U.S. Data Privacy Framework.
Once the adequacy decision is adopted, European entities will be able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.
The text of the draft adequacy decision can be found here:
https://commission.europa.eu/document/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en