Draft adequacy Decision: EU-U.S. Data Privacy Framework

Dec 14, 2022

i

Draft Adequacy Decision

On December 13, the European Commission began the process of adopting an adequacy decision for the EU-US Data Privacy Framework, which will encourage transatlantic data flows and address concerns raised by the European Union’s Court of Justice in its Schrems II decision in July 2020.

According to the draft adequacy decision, the US provides an adequate level of protection for personal data transferred from the EU to the US. This is based on a thorough examination of the Data Privacy Framework and its obligations for businesses, as well as the limitations and safeguards on access by US public authorities to data transferred to the US, particularly for criminal law enforcement and national security purposes.

The initiative for a draft adequacy decision comes after President Biden signed an Executive Order on October 7, 2022. Along with the Attorney General’s Regulation, the Executive Order codified the agreement in principle on a new EU-US Data Privacy Framework announced by Presidents von der Leyen and Biden in March 2022. The Executive Order includes new binding safeguards to address the concerns raised by the European Union’s Court of Justice in its Schrems II decision. It limits and safeguards US intelligence agencies’ access to data and establishes an independent and impartial redress mechanism to handle and resolve complaints from Europeans about the collection of their data for national security purposes.

Following the adoption of the adequacy decision, European entities will be able to transfer personal data to participating companies in the United States without the need for additional data protection safeguards.

US businesses will be able to certify their participation in the EU-US Data Privacy Framework by agreeing to a comprehensive set of privacy obligations (such as purpose limitation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties).

The draft adequacy decision has been forwarded to the European Data Protection Board (EDPB) for comment.

Following that, the Commission must obtain approval from a committee comprised of EU Member State representatives. Furthermore, the European Parliament has the right to critically analyse adequacy decisions.

Only then will the European Commission be able to issue the final adequacy decision, allowing data to flow freely and securely between EU and US companies certified by the Department of Commerce under the new framework.

Recent news

Free Webinar: HL7 FHIR for Data Protection Officers

Free Webinar: HL7 FHIR for Data Protection Officers

We will dive into the relation between FHIR adoption and the application of data access & protection policies, listen from key speakers from HL7 Europe and EFDPO and hear from enlightening testimonials from hospital DPOs and IT specialists who made it work.

read more

Data Protection Day 2023

On the occasion of Data Protection Day, we invite you to take a look back at GDPR enforcement over the last few years and explore how the EDPB helps all EEA DPAs act as one to safeguard your rights, today and tomorrow. Join us to see how European data protection...

read more

EDPB publishes Binding Decision concerning WhatsApp

Following the EDPB’s binding dispute resolution decision of December 5th, WhatsApp IE was issued a 5.5 million euro fine by the Irish Data Protection Authority (DPA). In its Binding Decision, the EDPB instructed the IE DPA to amend its draft decision with respect to...

read more