Today, the European Commission launched the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
Today's draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by the US Attorney General Merrick Garland. These two instruments implemented into US law the agreement in principle announced by President von der Leyen and President Biden in March 2022.
The draft adequacy decision, which reflects the assessment by the Commission of the US legal framework and concludes that it provides comparable safeguards to those of the EU, has now been published and transmitted to the European Data Protection Board (EDPB) for its opinion. The draft decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.
Key elements
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.
In addition, the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, which addressed the issues raised by the Court of Justice of the EU in the Schrems II judgment:
European companies will be able to rely on these safeguards for trans-Atlantic data transfers, also when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules.
Next steps
The draft adequacy decision will now go through its adoption procedure. As a first step, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with European data protection authorities, and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.
Background
Article 45(3) of the General Data Protection Regulation grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures ‘an adequate level of protection', i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow freely from the EU (and Norway, Liechtenstein and Iceland) to a third country without further obstacles.
After the invalidation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the EU, the European Commission and the US government entered into discussions on a new framework that addressed the issues raised by the Court.
In March 2022, following intense negotiations between the lead negociators, Commissioner Reynders and Secretary Raimondo, President von der Leyen and President Biden announced an agreement in principle on a new transatlantic data transfer framework. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', which was complemented by regulations adopted by the US Attorney General. Together, these two instruments implemented the US commitments into US law, as well as complemented the obligations for US companies. On this basis, the Commission is now proposing a draft adequacy decision on the EU-U.S. Data Privacy Framework.
Once the adequacy decision is adopted, European entities will be able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.
For More Information
Factsheet – Transatlantic Data Privacy Framework
Joint Statement on Trans-Atlantic Data Privacy Framework
Questions & Answers: Executive Order, EU-U.S. Data Privacy Framework
EU-US data transfers | European Commission
Intensifying Negotiations on transatlantic Data Privacy Flow