The EU Commission has launched the process for the adoption of an adequacy decision for the EU-US Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.

The draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by the US Attorney General Merrick Garland. These two instruments implemented into US law the agreement in principle announced by President von der Leyen and President Biden in March 2022.

The draft adequacy decision, which reflects the Commission’s assessment of the US legal framework and concludes that it provides comparable safeguards to those of the EU, has now been published and transmitted to the European Data Protection Board (EDPB) for its opinion. The draft decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.

Key elements of the draft adequacy decision:

• US companies will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations, e.g. the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and ensuring continuity of protection when personal data is shared with third parties; EU citizens will benefit from various redress mechanisms if their personal data is handled in violation of the Framework;
• the US legal framework provides for various limitations and safeguards regarding access to data by US public authorities, e.g. for criminal law enforcement and national security purposes; this includes new rules introduced by the US Executive Order, which addressed the issues raised by the Court of Justice of the EU in the Schrems II judgment:
  • access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security;
  • EU individuals will be able to obtain redress regarding the collection and use of their data by US intelligence agencies through an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court; the Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures; and
  • European companies will be able to rely on these safeguards for trans-Atlantic data transfers when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules.

The draft adequacy decision will now go through its adoption procedure. Once the EDPB has published its opinion, the Commission will seek approval from a committee of representatives of the EU Member States. The European Parliament also has a right of scrutiny over adequacy decisions. Once this procedure is complete, the Commission can proceed to adopting the final adequacy decision.

The functioning of the EU-US Data Privacy Framework will be subject to periodic reviews, which will be carried out by the EU Commission together with European data protection authorities and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice. To read the Commission’s press release in full and for a link to the draft adequacy decision, click here.