On December 13, the European Commission published its draft adequacy decision for the EU-US Data Privacy Framework.
The draft decision came after the signature of the Executive Order by US President Joe Biden in October. The Executive Order will introduce safeguards for EU residents’ personal data, in particular by limiting the US intelligence services’ access to data and introducing an independent redress mechanism: Data Protection Review Court.
With the draft decision, the Commission considers the new legal framework based on the Executive Order as having an adequate level of data protection comparable with European data protection standards. This means that the EU residents’ personal data can be safely and legally transferred to the United States.
There are still two steps that need to be taken for the finalization of the data adequacy process. Following the draft decision, the European Data Protection Board, which gathers all EU data protection authorities, will issue an opinion. The decision will then need to have the approval of a committee formed by member states’ national representatives before the formal adoption. The Commission expects to obtain the approval by the summer of 2023.
If approved, the adequacy decision would be subject to regular review to ensure the full implementation of the relevant elements from the US legal framework and their effective functioning in practice. The reviews will start one year after the adoption of the decision.
The draft decision might be subject to legal challenges as has happened to its predecessors in the two landmark Schrems rulings. Max Schrems has been quoted as saying “As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again, which in flagrant breach of our fundamental rights.”
It is important to note that there are other tools for international transfers available to companies in the meantime. Standard Contractual Clauses, which companies can add in their commercial contracts, are the most used mechanism to transfer data from the EU to the United States. As updated by the European Commission in June 2021, the modernized Standard Contractual Clauses must be accompanied with a Transfer Impact Assessment which is aimed to identify and mitigate privacy risks before personal data can leave the European Economic Area. Until there is certainty from the European Commission regarding this draft adequacy decision, companies must ensure they adhere to the requirements for international data transfers.
Does your organisation have questions about international data transfers to the US? Contact us, experts in data privacy, if you want to learn more via email@example.com.