The draft adequacy decision for the EU-U.S. Data Privacy Framework has been published – what’s next?

On 13 December 2022, The European Commission published its draft adequacy decision for the EU-U.S. Data Privacy Framework (EU-US DPF) that is to be adopted in 2023. Since the European Court of Justice’s (CJEU) Schrems II decision and the invalidation of EU-US Privacy Shield in 2020, the trans-Atlantic exports of EU personal data has been the center of discussion and caused a substantial amount of work to both EU and US based companies. The draft decision follows the Executive Order by US President Joe Biden issued in October, which notably introduced the establishment of a Data Protection Review Court and limiting, to some point, the access of US intelligence agencies to EU residents’ personal data.

The key elements of the Draft Decision include:

  • Privacy principles established by the US Department of Commerce (DoC), which ensure the same level of protection as guaranteed by the GDPR when personal data is transferred from the EU to the certified US organizations.

  • The (re-)certification of US organizations under the DPF. The US organizations are required to publicly declare their commitment to comply with the principles, make their privacy policies available and fully implement them. They have to provide the DoC with information such as the purpose for processing personal data and the personal data covered by the certification. The US organizations that maintained their Privacy Shield certification can also re-certify under the DPF.

  • Necessity and proportionality when accessing and using personal data. Any interference with the fundamental rights of individuals whose personal data is transferred to the US will be limited to what is strictly necessary to achieve the legitimate objective. This is particularly the case where data is processed by the US public authorities in the public interest for criminal law enforcement and national security purposes.

  • Reviewing and monitoring of the DPF by the European Commission. The DPF will be reviewed within one year after the entry into force to ensure all its relevant elements have been fully implemented and are functioning effectively in practice. After this, periodic reviews will be carried out every four years. The US authorities are also required to promptly inform the European Commission of material developments in the U.S. legal order which have an impact on the DPF and any evolution in practices related to the processing of personal data assessed in the DPF.

Once the decision is adopted, European companies will be able to transfer personal data to participating companies in the US without additional data protection safeguards. The safeguards provided in the decision will also apply when the companies are using other transfer mechanisms, such as standard contractual clauses (SCC) or binding corporate rules

Next steps

Before the EU-US DPF is finalized, the draft adequacy decision will undergo its adoption procedure. It will now be examined by the European Data Protection Board (EDPB) for nonbinding opinions, after which it will have to be approved by a committee composed of the member states’ representatives. In addition, the European Parliament will also have the right to review the decision. Once the draft has been officially approved, the final adequacy decision can be adopted.

It remains to be seen whether the draft decision will meet the key requirements of the European legislation - that the US surveillance is proportionate, and that there is access to judicial redress. Therefore, questions regarding the US intelligence agencies and their interpretation of ‘proportionality’, as well as the functioning of the Data Protection Court will play a massive role in the upcoming decision. Until the final decision has been made, with the expected time being in summer 2023, the companies will still have to put in place additional data protection safeguards when exporting personal data from the EU.

Want to hear more? Contact our data protection lawyers.