This week, the European Commission presented its proposal for an adequacy decision within the framework of the so-called EU-U.S. Data Privacy Framework. This will be the prerequisite for companies to be able to transfer personal data that is subject to the GDPR to the USA in a legally secure manner in the future, thereby fostering safe transatlantic data flows.
The proposal has addressed the Schrems II ruling of July 2020, in which the European Court of Justice of the European Union had raised issues relating to the legal framework. The draft decision released this week follows the 7 October 2022 signature of an Executive Order – the third attempt – by the US President Joe Biden, including the regulations passed by U.S. Attorney General Merrick Garland.
Essentially, U.S. companies are able to participate in the EU-U.S. Data Privacy Framework by complying with a certain set of detailed privacy obligations. These rules cover safeguards for and limitations to an EU citizen’s personal data, such as reducing U.S. intelligence agencies’ access to it – especially for national security and criminal law enforcement purposes – and introducing a so-called independent and impartial redress mechanism. This means that U.S. companies are instructed to delete any personal data once it has expired of its usefulness for which it was initially collected. Furthermore, companies ought to ensure that personal data will continue to be protected once it is shared with any third parties.
To summarise, Commissioner for Justice Didier Reynders announced in a Twitter post: “We positively assessed the US legal framework provided by the Executive Order and AG Regulation as regards the protection of personal data. We can move to the next steps.” However, this third attempt at underpinning transatlantic data transfers is widely expected to encounter legal challenges.
Nonetheless, as for the next steps, the draft adequacy decision will have to go through the formal adoption procedure. After having transmitted the draft decision to the European Data Protection Board (EDPB) this week for its opinion, the Commission will then proceed to seek approval from the committee of EU Member States representatives. Additionally, the European Parliament will be able to carefully examine the decision as well. Following the approval, the Commission is then able to proceed with the adoption of the final adequacy decision.
Moreover, the EU-U.S. Data Privacy Framework will be contingent to reviews periodically, with the first review expected to take place within one year of the adequacy decision having entered into force. These reviews will be scrutinised by the Commission, along with both the European data protection authorities and competent U.S. authorities and aim to establish whether the US legal framework is indeed performing adequately in practice.