The European Union (EU) – United States (US) Data Privacy Framework has taken a step closer to reality after the European Commission (EC) issued a draft data adequacy decision – ruling that the US ensures an adequate level of protection for personal data transferred from the EU to US companies – and began the process towards the adoption of the framework,
The EU hopes the framework will improve the safety of transatlantic data flows and address concerns arising from the EU Court of Justice’s Schrems II decision of July 2020, which struck down the previous Privacy Shield arrangement.
Its decision follows the 7 October 2022 Executive Order signed by US president Joe Biden and the regulations issued by US attorney general Merrick Garland, which implemented in US law the agreement in principle agreed by Biden and EU president Ursula von der Leyen earlier this year. The agreement saw the EU extract significant concessions from the Americans, including a commitment to expand oversight of the US’s signals intelligence operations, strengthen civil rights safeguards, and create a binding legal mechanism to give EU citizens rights of redress should their data be abused.
The draft decision reflects the EC’s assessment of the US legal framework and it will now be sent to the European Data Protection Board for its opinion. Following that, the EC will seek approval from a committee composed of EU member state representatives and offer the European Parliament the right to scrutinise adequacy decisions. It will then be able to proceed to adopting the final decision.
“Our talks with the US have resulted in proposing a framework that will further improve the safety of personal data of Europeans transferred to the US. It builds on our good cooperation and progress we have made over the years,” said EU vice-president for values and transparency Věra Jourová.
“The future framework is also good for businesses and it will strengthen transatlantic cooperation. As democracies, we need to stand up for fundamental rights, including data protection. This is a necessity, not a luxury, in the increasingly digitalised and data-driven economy.”
Didier Reynders, EU commissioner for justice, added: “Today’s draft decision is the outcome of more than one year of intense negotiations with the US that I led together with my US counterpart secretary of commerce [Gina] Raimondo.
“Over the past months, we assessed the US legal framework provided by the Executive Order as regards the protection of personal data. We are now confident to move to the next step of the adoption procedure. Our analysis has showed that strong safeguards are now in place in the US to allow the safe transfer of personal data between the two sides of the Atlantic.
“The future framework will help protect citizens’ privacy, while providing legal certainty for businesses. We now await feedback from the European Data Protection Board, member states’ experts and the European Parliament.”
US companies will join the framework by committing to comply with the obligations it sets out, such as the requirement to delete personal data when it is no longer needed and ensure continuity of protection should it be shared further. EU citizens will be able to access dispute resolution mechanisms and an arbitration panel at no cost to themselves, should a US organisation violate the framework.
At the same time, the US legal framework will offer limitations and safeguards regarding why, how and when US public authorities can access it if needed for law enforcement or national security purposes. This includes the rules introduced by Biden’s Executive Order and addresses the court’s concerns in the Schrems II judgment – access to EU data by intelligence agencies in the US will be limited to “necessary and proportionate” use, and EU citizens will again have the possibility to obtain redress regarding the collection and use of their data by US intelligence under an independent mechanism, including a newly created Data Protection Review Court, which will have the ability to issue binding remedial measures.
The Commission said EU companies would be able to rely on these safeguards when conducting transatlantic data transfers, but also when using other transfer mechanisms like standard contractual clauses (SCCs) and binding corporate rules.
The smooth running of the framework will be subject to periodic reviews by the EC, along with member state data protection bodies and the relevant US authorities. The first such review is mandated to take place after the final decision comes into force to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.
Patrick Van Eecke, head of the European cyber, data and privacy practice at law firm Cooley’swelcomed the EC decision as a step in the right direction. He said it was good news for transatlantic businesses in particular after a period of uncertainty.
“It will re-allow much smoother transatlantic personal data flows and dispense with the current hassle of transfer impact assessments and filling out long forms,” said Van Eecke.
“The new framework has multiple advantages for companies. Adhering to the rules of the adequacy decision will allow a US company to receive personal data from any company based in the EU, without the need to enter into +50 pages long data transfer agreements based on standard contract clauses, with each contract partner. And data transfer impact assessments are probably no longer required,” he told Computer Weekly in emailed comments.
“But the risk remains that within the next few years the adequacy ruling is invalidated again by the European Court of Justice. This creates legal uncertainty for companies,” he added. “It is like putting Concorde in the air again to New York: it is fast, smooth and easy for transporting people back and forth from Europe to the US. But you never know if it will be flying next year. So, use it when it is available, but make sure you have an alternative option which is air ready if and when Concorde stops flying again.”
Van Eecke said he would advise clients to make use of the opportunity presented by the ruling when it is finally adopted, but also to make sure they have a “parachute” in the form of a fallback clause which would automatically apply SCCs should the framework be invalidated.