Draft adequacy Decision: EU-U.S. Data Privacy Framework

Dec 14, 2022

i

Draft Adequacy Decision

On December 13, the European Commission began the process of adopting an adequacy decision for the EU-US Data Privacy Framework, which will encourage transatlantic data flows and address concerns raised by the European Union’s Court of Justice in its Schrems II decision in July 2020.

According to the draft adequacy decision, the US provides an adequate level of protection for personal data transferred from the EU to the US. This is based on a thorough examination of the Data Privacy Framework and its obligations for businesses, as well as the limitations and safeguards on access by US public authorities to data transferred to the US, particularly for criminal law enforcement and national security purposes.

The initiative for a draft adequacy decision comes after President Biden signed an Executive Order on October 7, 2022. Along with the Attorney General’s Regulation, the Executive Order codified the agreement in principle on a new EU-US Data Privacy Framework announced by Presidents von der Leyen and Biden in March 2022. The Executive Order includes new binding safeguards to address the concerns raised by the European Union’s Court of Justice in its Schrems II decision. It limits and safeguards US intelligence agencies’ access to data and establishes an independent and impartial redress mechanism to handle and resolve complaints from Europeans about the collection of their data for national security purposes.

Following the adoption of the adequacy decision, European entities will be able to transfer personal data to participating companies in the United States without the need for additional data protection safeguards.

US businesses will be able to certify their participation in the EU-US Data Privacy Framework by agreeing to a comprehensive set of privacy obligations (such as purpose limitation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties).

The draft adequacy decision has been forwarded to the European Data Protection Board (EDPB) for comment.

Following that, the Commission must obtain approval from a committee comprised of EU Member State representatives. Furthermore, the European Parliament has the right to critically analyse adequacy decisions.

Only then will the European Commission be able to issue the final adequacy decision, allowing data to flow freely and securely between EU and US companies certified by the Department of Commerce under the new framework.

Recent news