On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF).
The draft decision – available here – addresses the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020. These concerns centred around access to European personal data by US intelligence agencies and the lack of independent and impartial redress for EU citizens. However, following the signature of a US Executive Order by President Biden on 7 October 2022, along with regulations issued by the US Attorney General, the European Commission is now of the view that the US legal framework provides an adequate level of protection for EU personal data. In particular, the new rules introduced by the US Executive Order provide that:
- access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security; and
- EU individuals will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
The draft decision is now going through the adoption procedure. This means that the European Commission has submitted the draft decision to the European Data Protection Board (EDPB) for its opinion. Next, the Commission will seek approval from a committee composed of representatives of the EU Member States. The European Parliament also has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can adopt the final adequacy decision. This process could take 6 or 7 months to conclude.
Once complete, US companies wishing to participate will be able to join the EU-US DPF by committing to a detailed set of privacy principles – the ‘EU-U.S. Data Privacy Framework Principles’. This will mean that it will no longer be necessary for participating US companies to enter into multiple Standard Contractual Clauses agreements with EU counterparties. Nor will it be necessary for organisations to complete transfer impact assessments (TIAs) in respect of transfers of personal data from the EU to US participating companies.
At this point with the EU-US DPF not open to participation and the adequacy decision still in draft no immediate action is necessary. The coming weeks will reveal what privacy activist groups and the EDPB make of the decision and where any challenges to its validity may come from and also what the UK and Swiss approaches to granting US adequacy will be. We will provide further updates as developments emerge.