The European Commission has begun the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework, which aims to facilitate trans-Atlantic data flows and address the concerns raised by the CJEU in its Schrems II decision of July 2020.
The draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022, and the regulations issued by the US Attorney General Merrick Garland. These documents implemented the agreement in principle announced by President von der Leyen and President Biden in March 2022 into US law.
The draft adequacy decision reflects the assessment by the Commission of the US legal framework and concludes that it provides comparable safeguards to those of the EU. The draft decision determines that the US ensures an adequate level of protection for personal data transferred from the EU to US companies.
What does the draft decision say?
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, e.g. the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. There will be several options for redress if personal data is handled in violation of the Framework, including independent dispute resolution mechanisms and an arbitration panel.
In addition, the US legal framework provides for several limitation and safeguards regarding the access to data by US public authorities, in particular, for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, which aimed to address the issues raised by the Court of Justice of the EU in the Schrems II judgment:
- Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security; and
- EU individuals will be able to obtain redress regarding the collection and use of their data by US intelligence agencies through an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
European companies will be able to use new rules for trans-Atlantic data transfers, including when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules.
Next steps
The draft adequacy decision will now go through its adoption procedure. As a first step, the Commission has submitted its draft decision to the European Data Protection Board. Afterwards, the Commission will seek approval from a committee composed of representatives of the EU member states. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can adopt the final adequacy decision.
The EU-U.S. Data Privacy Framework will be subject to periodic reviews by the European Commission, European data protection authorities, and the competent US authorities. The first review will take place within one year of the adequacy decision entering into force, to make sure that relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.