On December 13, 2022, the European Commission published its draft adequacy decision for the new EU-US Data Privacy Framework (“EU-US DPF”). The draft decision concludes that the United States ensure an adequate level of protection for personal data transferred from the EU to US companies which participate in the EU-US DPF by committing to comply with a detailed set of obligations.
This new (draft) adequacy decision is supposed to replace the Privacy Shield, which had been invalidated by Schrems II. This draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022.
Key elements of EU-US DPF
US companies that want to participate in the EU-US DPF need to publicly declare their commitment to comply with a detailed set of data protection principles. Such principles were developed by the US Department of Commerce (“US Department”) in consultation with the European Commission. They include, amongst others, notice requirements, the obligation to protect personal data and to delete such data when it is no longer necessary for the purpose for which it was collected. The US Department will maintain and make available to the public an authoritative list of US companies that have self-certified to the US Department and declared their commitment to adhere to these principles.
EU citizens are supposed to benefit from several redress avenues, if their personal data is handled in violation of the EU-US DPF, such as an independent dispute resolution mechanisms and an arbitration panel.
Furthermore, the EU Commission highlights that the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, in particular the following:
Access to European data by US intelligence agencies is supposed to be limited to what is necessary and proportionate to protect national security;
EU individuals are supposed to have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court is supposed to independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
If the draft adequacy decision is adopted, European companies will be able to rely on the EU-US DPD for personal data transfers from the EU to the US. Currently, personal data transfers to the US are only legitimate on basis of the (new) EU Commission’s standard contractual clauses or any binding corporate rules – in conjunction with a data transfer impact assessment (“DTIA”).
Check the full Framework here.