On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.
An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.
Adequacy decisions are one of the tools offered by Chapter V of the EU General Data Protection Regulation (“GDPR”) in order to legitimize transfers of personal data from the EU to third countries which, according to the EU Commission, provide an adequate level of protection of personal data.
The proposal for a draft adequacy decision marks the culmination of years of intense negotiations between the EU and the U.S., following the Court of Justice’s declaration that the EU-U.S. Privacy Shield Framework was invalid in its Schrems II judgment.
The draft adequacy decision follows President Biden’s signature on October 7, 2022, of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the EU and the U.S. (the “EU-U.S. Data Privacy Framework”).
Companies that adhere to the EU-U.S. Data Privacy Framework by self-certifying and committing to comply with a detailed set of privacy obligations will be able to receive EU personal data without having to put in place additional transfer safeguards. Companies’ commitments when self-certifying to the EU-U.S. Data Privacy Framework include, among others, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continuity of protection in the event of onward transfers.
Under the new EU-U.S. Data Privacy Framework, Europeans will be offered several redress mechanisms if their personal data is handled in violation of the Framework, including a two-layer redress mechanism. Under this two-layer redress mechanism, EU individuals will be able to lodge a complaint to the so-called “Civil Liberties Protection Officer” of the U.S. intelligence community and appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court (the “Court”). The Court will be competent to investigate and resolve complaints regarding access by U.S. national security authorities to EU individuals’ personal data and to take binding remedial decisions (such as to order the deletion of the data by the relevant intelligence agency). According to the EU Commission, this mechanism presents significant improvements compared to the redress mechanism that was available under the EU-U.S. Privacy Shield.
Additional limitations and safeguards which specifically aim at addressing the CJEU judgment in the Schrems II case are also included in the EU-U.S. Data Privacy Framework, such as the limitation of U.S. intelligence agencies’ access to European data to what is necessary and proportionate to protect national security.
The European Data Protection Board (“EDPB”) will now provide its opinion on whether the new EU-U.S. Data Privacy Framework is sufficient to ensure an equivalent level of protection for personal data transferred from the EU to U.S. companies. Afterwards, the approval of the draft adequacy decision by a committee of Member States representatives will be sought. Finally, the European Parliament will also have a right of scrutiny over the draft adequacy decision.
Once the adoption process is complete, the EU Commission can adopt the final adequacy decision. The adoption process for the EU-U.S. Data Privacy Framework is expected to take around six months.
In the meantime, companies can continue relying on the other transfer mechanisms made available by the GDPR, such as the EU Commission’s Standard Contractual Clauses. Read the European Commission’s Questions & Answers and the draft adequacy decision.