Before the EU-US DPF is finalized, the draft adequacy decision will undergo its adoption procedure. It will now be examined by the European Data Protection Board (EDPB) for nonbinding opinions, after which it will have to be approved by a committee composed of the member states’ representatives. In addition, the European Parliament will also have the right to review the decision. Once the draft has been officially approved, the final adequacy decision can be adopted.
It remains to be seen whether the draft decision will meet the key requirements of the European legislation - that the US surveillance is proportionate, and that there is access to judicial redress. Therefore, questions regarding the US intelligence agencies and their interpretation of ‘proportionality’, as well as the functioning of the Data Protection Court will play a massive role in the upcoming decision. Until the final decision has been made, with the expected time being in summer 2023, the companies will still have to put in place additional data protection safeguards when exporting personal data from the EU.
Want to hear more? Contact our data protection lawyers.