On 13 December 2022, the European Commission published its draft adequacy decision for the EU-US Data Privacy Framework. The draft decision aims to address the concerns raised by the Court of Justice of the European Union ("CJEU") in its Schrems II decision in July 2020. Publication of the draft adequacy decision follows the signature of US Executive Order 14086 by President Biden on 7 October 2022, along with a US Regulation establishing a two-layer redress mechanism which includes a new Data Protection Review Court (previously discussed here).
If adopted by the European Commission, the adequacy decision will allow European data exporters to transfer personal data freely to US certified organisations, without the need to put in place a data transfer tool under Article 46 of the GDPR (such as the Standard Contractual Clauses) or to carry out and document a transfer impact assessment. The final adequacy decision is not expected before Spring 2023.
The Draft Adequacy Decision
The draft adequacy decision reflects the assessment by the European Commission of the US legal framework and concludes that the US ensures an adequate level of protection for personal data transferred from the EU to US certified companies.
US companies will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations, including the requirement to delete personal data when it is no longer necessary for the purpose of its collection, and to ensure continuity of protection when personal data is shared with third parties. EU citizens will be able to benefit from several redress avenues if their personal data is handled in violation of the Framework, including independent dispute resolution mechanisms and an arbitration panel. In addition, the US legal framework provides for a number of limitations and safeguards regarding access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order 14086.
Next steps
The draft adequacy decision has now been sent to the European Data Protection Board ("EDPB") for its non-binding opinion. Following this, the European Commission will seek approval from a committee composed of representatives of the EU Member States. The approval requires 55% of EU countries (15 out of 27) representing at least 65% of the total EU population. In addition, the European Parliament will have the right to review the adequacy decision, but its position will be non-binding. Once this process is completed, the European Commission can proceed with adopting the final adequacy decision.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with European Data Protection Authorities, and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision.
The European Commission's press release is available here, and the Q&As here.