On Tuesday, December 13, the European Commission began the long-awaited process of adopting an adequacy decision for the European Union (EU)-U.S. Data Privacy Framework (EU-U.S. DPF), which aims to address the concerns raised by the European Court of Justice when it overturned the European Commission ‘s adequacy decision underlying the EU-U.S. Privacy Shield framework in 2020.
President Biden and European Commission President Von der Leyen earlier said that they had achieved an agreement in principle on the new EU-US DPF, which would be implemented in March 2022.
Following that, on October 7, 2022, President Biden issued the long-awaited executive order (EO) on Enhancing Safeguards for United States Signals Intelligence Activities, establishing important directions to carry out the United States’ responsibilities under the EU-U.S. DPF.
The European Commission’s most recent draft adequacy decision describes the European Commission’s assessment of President Biden’s EO, determining that it provides an appropriate level of protection for personal data transmitted from the EU to U.S. companies.
What exactly is an adequacy decision?
An adequacy decision is one of the methods offered by the General Data Protection Regulation (GDPR) for transferring personal data from the EU to third countries that, in the Commission’s assessment, provide a similar level of personal data protection to that of the European Union.
Personal data may travel freely and securely from the European Economic Area (EEA) to a third country as a consequence of adequacy judgements, without any additional limitations or authorizations. In other words, transfers to a third nation may be handled in the same manner that data transmissions inside the EU are.
Following the adoption of the adequacy decision, European businesses will be free to transmit personal data to participating companies in the United States without the need for extra data protection safeguards.
US businesses will be able to confirm their participation in the EU-US Data Privacy
Framework by agreeing to a comprehensive set of privacy responsibilities (such as purpose limitation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties).
US companies will be able to join the EU-US Data Privacy Framework by agreeing to a detailed set of privacy obligations, such as the requirement to delete personal data when it is no longer required for the purpose for which it was collected and to ensure continuity of protection when personal data is shared with third parties. If their personal data is treated in contravention of the Framework, EU residents will have many options for remedy, including free access to independent dispute resolution processes and an arbitration panel.
Furthermore, the US legal framework imposes a variety of restrictions and safeguards on data access by US public bodies, particularly for criminal law enforcement and national security reasons. This includes the additional regulations imposed by the US Executive Order, which addressed the concerns made by the EU Court of Justice in the Schrems II decision:
• Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security.
• EU citizens will be able to seek redress for the collection and use of their data by US intelligence agencies through an i. independent and impartial redress mechanism, which includes a newly established Data Protection Review Court. The Court will examine and resolve complaints from Europeans independently, including by imposing obligatory corrective measures.
These safeguards will be available to European companies for trans-Atlantic data transfers, as well as other transfer methods such as standard contractual terms and obligatory company standards.
The European Data Protection Board (“EDPB”) will now provide its judgement on whether the new EU-US Data Privacy Framework is enough to offer a comparable level of protection for personal data transferred from the EU to companies in the United States. Following that, a committee of representatives from Member States will be asked to approve the draft adequacy decision. Finally, the proposed adequacy decision will be subject to review by the European Parliament.
The EU Commission may make the final adequacy decision after the adoption procedure is completed. The EU-US Data Privacy Framework adoption procedure is projected to take six months.
Article 45(3) of the General Data Protection Regulation empowers the Commission to decide, through an implementing act, whether a non-EU country provides ‘an adequate level of protection,’ i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. Personal data may flow freely from the EU (including Norway, Liechtenstein, and Iceland) to a third nation as a result of adequacy judgements.
Following the Court of Justice of the EU’s invalidation of the previous adequacy decision on the EU-US Privacy Shield, the European Commission and the US government began negotiations on a new framework that addressed the problems expressed by the Court.
President von der Leyen and President Biden announced an agreement in principle on a new transatlantic data transfer framework in March 2022, after rigorous discussions between the principal negotiators, Commissioner Reynders and Secretary Raimondo. President Biden signed an Executive Order in October 2022 titled “Enhancing Safeguards for United States Signals Intelligence Activities,” which was complemented by rules issued by the US Attorney General.
Together, these two instruments incorporated the US commitments into US law and complemented the requirements for US companies. The Commission is now presenting a draft adequacy decision on the EU-US Data Privacy Framework on this basis.
In the meanwhile, companies may continue to employ the GDPR’s other transfer procedures, such as the EU Commission’s Standard Contractual Clauses. Read the Questions and Answers from the European Commission as well as the proposed adequacy decision.