European Commission issues draft...
European Commission issues draft adequac...

European Commission issues draft adequacy decision on EU-US Data Privacy Framework

The draft framework will now await approval from the European Commission which could take up to six months. Here’s what you need to know

Robb Hiscock Content Marketing Specialist | CIPP/E, CIPM

clock7 Min Read

Featured Image

On December 13, 2022, the European Commission launched its process for the adoption of an adequacy decision on the EU-US Data Privacy Framework (EU-US DPF). President Joe Biden issued an Executive Order on the new EU-US DPF on October 7, 2022.  which aims to provide for enhanced protection of personal information transferred between the US and the EU. The Executive Order followed an agreement in principle on the transfer framework which was announced in March 2022 by the President of the European Commission, Ursula von der Leyen, and marked the first formal step in adopting a new mechanism for transatlantic data flows.

The draft adequacy decision from the European Commission concludes that the legal framework in the US ensures an adequate level of protection for personal data transferred from the EU to US companies.

“Transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship.  The EU-U.S. DPF will restore an important legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in striking down the prior EU-U.S. Privacy Shield framework as a valid data transfer mechanism under EU law.”

FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework

Since the invalidation of the EU-US Privacy Shield in 2020 as a result of the Schrems II case, organizations have had to navigate alternative measures to ensure that personal data being transferred from the EU to the US has adequate and essentially equivalent levels of protection. Importantly, the EU-US DPF includes a new, two-layer mechanism for individuals to seek redress, a factor that was critical in the CJEU’s Schrems II decision. While the European Commission’s draft adequacy decision for the EU-US DPF must still go through the formal adoption process, which includes review by the European Data Protection Board (EDPB) and approval from a committee composed of representatives of the EU Member States, it marks the next step towards more legal certainty for organizations that rely on moving data from the EU to the US.

What does the European Commission’s draft adequacy decision say?

The announcement made by the European Commission outlines that it has assessed the legal framework in the US, and concluded that personal data transferred from the EU to the US will be protected to an adequate level based on the new framework.

The draft adequacy decision has now been published and transmitted to the European Data Protection Board (EDPB) for its opinion.

What did the Executive Order include? And how does it affect the new framework?

The EU-US DPF aims to alleviate the concerns raised by the Schrems II decision by ensuring further safeguards for the personal data of EU citizens being transferred out of Europe. The Executive Order issued by President Biden on October 7, 2022, implemented several requirements for US signals intelligence activities that would align with the new framework. These included ensuring surveillance activities are only conducted where necessary and proportionate to advance valid intelligence priorities.

Additionally, the Executive Order included information on the handling of personal information collected by US signals intelligence activities and extends the responsibility for remediating non-compliance to legal, oversight, and compliance officials. As a result of the Executive Order, the US Intelligence Community will be required to update its policies and procedures to reflect these new safeguards.

In their decision on the Schrems II case, the CJEU highlighted the lack of access for EU data subjects to legal redress mechanisms in cases where their personal data was intercepted in US intelligence efforts. Subsequently, this is a key area of the EU-US DPF that the European Commission assessed. To alleviate concerns, the US Executive Order included the creation of a multi-layer redress mechanism for applicable individuals.

This mechanism can be used in cases where personal information that has been collected through US signals intelligence was collected or handled by the US in violation of applicable privacy laws, including the enhanced safeguards required by the EU-US DPF. The first layer of the redress mechanism provides the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) the power to conduct investigations into complaints to determine whether non-compliance with the EU-US DPF or other US laws has occurred.

The second layer of the review empowers the Attorney General to establish a Data Protection Review Court (DPRC) which will provide an independent review of the CLPO’s decision. The DPRC will be formed of Judges appointed from outside the US government that have relevant experience in data privacy and national security.  The Attorney General today issued accompanying regulations on the establishment of the DPRC.

The CLPO will also be responsible for establishing an annual review of the Intelligence Community policies and procedures to ensure they align with the EU-US DPF.

How will this impact organizations’ data operations?

In the long term, the EU-US DPF aims to provide more legal certainty for organizations transferring personal data from the EU to the US and organizations can look forward to using a more streamlined transfer solution. It will also restore an “important, accessible, and affordable data transfer mechanism”, where the EU-US Privacy Shield once was but with enhanced protections for personal information and greater access to redress in cases of non-compliance.

Organizations looking to certify with the EU-US DPF will also need to consider new and additional items covered in Annex 1 of the draft adequacy decision. These include ensuring that your privacy program encompasses a broader scope of personal data, amending privacy notices to an EU level of transparency, and ensuring your vendor contracts include new provisions of the EU-US DPF.

In the short term, the announcement of progress on the EU-US DPF will address the concerns of EU citizens in the fallout from the Schrems II case. However, the adoption of an adequacy decision made by the European Commission is not expected until July 2023. In a statement, European Commissioner for Justice Didier Reynders said, “before next summer it must be possible to go to the end of the process […] It means we will maybe have a decision before July of next year.”

For now, organizations should consider that while the EU-US DPF may remove the need to conduct a Transfer Impact Assessment (TIA) in the case of transfers to the US, transfers from the EU to other third countries will still need to be assessed. Therefore, ensuring that your data map is up to date with current activities and vendors is essential to remain compliant with the GDPR.

What happens next?

The European Commission’s draft adequacy decision must now make its way through the formal adoption process. Following today’s announcement, the draft decision has been passed on to the EDPB, which will issue an opinion in due course. Representatives of each EU Member State will also need to assess and approve the Commission’s decision.

As part of and final EU adequacy decision, the EU-US DPF will be reviewed periodically to ensure that its protections continue to maintain a standard essentially equivalent to that found in the EU. The first review will take place one year after the formal adoption of the adequacy decision.

Once an adequacy decision is adopted by the Commission, businesses based in the EU will be able to transfer personal data to participating companies in the US, should they decide to rely on the EU-US DPF and therefore comply with its requirements, without the need for additional data protection safeguards such as Standard Contractual Clauses (SCCs).

Take a look at OneTrust’s range of solutions for dealing with data transfers to third countries, including visualization of international data flows, access to vendor transparency reports, and pre-filled TIAs from the OneTrust platform.



You Might Also Be Interested In

JANUARY 25, 2023

Your guide to celebrating Data Privacy Day 2023

JANUARY 17, 2023

Speak-up culture toolkit: Leveraging disclosure data to drive a speak-up culture

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

Onetrust All Rights Reserved