The European Union (EU) Commission released its Draft Adequacy Decision for the EU-US Data Privacy Framework on December 13, which, in conjunction with President Biden’s executive order issued on October 7, will further facilitate trans-Atlantic data flows. The Draft Adequacy Decision mirrors the executive order, which established safeguards relating to the handling of personal information in the course of signals intelligence activities. If and when adopted, the adequacy decision will impact contractual requirements and processes by restoring data flows through a new Trans-Atlantic Data Privacy Framework.
What did the executive order achieve?
As we previously discussed, the executive order requires surveillance of foreign electronic communications to be necessary and proportionate to the advancement of a validated intelligence priority. Additionally, the executive order established a two-layer redress system with independent and binding authority, which includes the methods of filing and appealing complaints from EU individuals, and created a new Data Protection Review Court (DPRC) within the Executive Branch.
What is an adequacy decision?
An adequacy decision is a tool created in the General Data Protection Regulation (GDPR), which allows free and safe transfer of personal data from the European Union to other countries that offer a comparable level of protection. If adopted, European entities will be able to transfer personal data to participating US companies without having to implement additional data safeguards.
How does this impact US companies?
US companies will be able to certify their participation in the EU-US Data Privacy Framework through a commitment to comply with a detailed set of privacy and data security obligations. This means that data exporters should be able rely less on the stringent EU Standard Contractual Clauses (SCCs), which limit the transfer of personal data from the European Union to the United States to narrowly defined situations, and often require individual consents.
What’s next?
The Commission believes that in light of the US Executive Order of October, there are “significant improvements [from the US] compared to the mechanism that existed under the Privacy Shield… The draft adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to the US.”
The draft adequacy decision was submitted to the European Data Protection Board for its opinion, and subsequently, the Commission will need to obtain approval of a committee composed of representatives of EU member states and the European Parliament. Finally, the Commission can (and likely will) adopt the final adequacy decision sometime in 2023.
How can companies transfer personal data in the meantime?
Companies can continue to utilize and rely on the SCCs (as updated in 2021) in their commercial contracts and derogations in the GDPR as ways to transfer data from the European Union.