On the 13 December 2022 the European (EU) Commission released its draft adequacy decision for the EU-U.S. Data Privacy Framework (DPF). This decision follows the signature of a US Executive Order by President Biden on the 7th October 2022 in which the US government made several commitments to implement new binding safeguards to address the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II judgement.
What is an adequacy decision?
An adequacy decision is a decision made by the European Commission in which it recognises that a certain country can offer a comparable level of protection of personal data to that of the EU Organisations that can rely on it to justify a transfer of personal data from the EU to a third country that has received an adequacy decision from the EU commission.
The DPF, if adopted, would formally recognise that the US ensures an adequate level of protection for personal data transferred from the EU.
Key features of the draft decision
The DPF is based on a system of certification by which US organisations commit to a set of privacy principles, the ‘EU-U.S. Data Privacy Framework Principles’. While the adherence to that framework is voluntary for US companies, its compliance is compulsory for organisation that choose to rely on it. To enter that framework, they must:
“(a) be subjected to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”), the U.S. Department of Transportation “DOT”) or another statutory body recognised by the EU; (b) publicly declare its commitment to comply with the Principles; (c) publicly disclose its privacy policies in line with these Principles; and (d) fully implement them”.
Furthermore, the draft decision has tackled the new safeguards adopted by the US government to further regulate the access and use of personal data transferred from the EU by US public authorities. The two main changes in that regard are:
- The introduction of a proportionality test for surveillance activities executed by US public agencies. The framework has ensured that access and further use of the data is limited to what is necessary and proportionate to the public interest objective pursued.
- The establishment of an independent and impartial redress mechanism for data subjects. Indeed, the Data Protection Review Court has been inaugurated to handle and resolve complaints from individuals concerning U.S. signals intelligence activities.
What is next for US and EU companies?
The European Data Protection Board is yet to publish its opinion on the draft adequacy decision, after which the commission will require the approval from a committee composed of representatives of the EU Member States. The European parliament has, in the meantime, a right of scrutiny over that decision. If given the green light by the relevant authorities, the commission is expected to publish the final adequacy decision by mid-2023. When officially adopted, certified organisations will be able to rely on the DPF to justify the data flow of personal data from the EU to the US.
It is important to remember that an adequacy decision is not the only tool for international transfers. Organisations can still rely on their existing Standard Contractual Clauses if they have decided not to adopt the DPF or if the DPF fails. It is also important to note, that even though the DPF is not officially implemented, all the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) will be available for all transfers to companies in the US under the General Data Protection Regulations, regardless of the transfer mechanisms used.
HewardMills have a number of Data Analysts and Consultants who are well placed to advise on any queries that your organisation may have in relation to data transfers.