European Commission Announces Draft U.S. Adequacy Decision

European Commission Announces Draft U.S. Adequacy Decision

Blog WilmerHale Privacy and Cybersecurity Law

On December 13, 2022, the European Commission initiated the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”). The draft adequacy decision follows President Biden’s October Executive Order 14086, which implemented binding safeguards and redress mechanisms, previously negotiated with the European Commission. The draft adequacy decision is welcome news for companies affected by the period of uncertainty introduced by the July 2020 Schrems II judgment of the Court of Justice of the European Union (CJEU). The release of the draft decision starts a finalization process that is expected to take approximately six months.

The draft decision concludes that the new EU-U.S. DPF provides adequate safeguards to protect personal data that is transferred to the United States – acknowledging U.S. efforts to address deficiencies identified by the CJEU in Schrems II, particularly as they relate to US officials potentially accessing EU personal data for national security purposes. Specifically, the draft applauds the newly created redress system for its binding nature and accessibility. 

Once finalized, U.S. companies that would like to participate in the EU-U.S. DPF will need to comply with a detailed set of specified privacy obligations. These set obligations are fairly similar to those required previously under the Privacy Shield, since the Schrems II judgment largely left those principles untouched. For example, companies will need to continue to adhere to principles such as choice, notice, and access. Once adopted, European companies will be able to transfer personal data from the EU to the U.S. companies that have signed up for the framework without having to take additional steps to protect personal data (such as by implementing standard contractual clauses (SCCs), which is what many companies have relied upon in light of the Schrems II judgment). 

In the meantime, companies may choose to continue to maintain and update their Privacy Shield registration to minimize potential enforcement risk related to data that they processed prior to Schrems II. Additionally, companies should continue to rely on SCCs and other valid data transfer mechanisms for EU-U.S. data transfers before the EU-U.S. DPF is finalized (and companies are able to register under the new framework).
Below we provide a brief overview of the new framework, the adequacy decision process, and expected legal challenges. 
 
The Framework

The EU-U.S. DPF imposes privacy obligations for companies and heightened safeguards against broad use of signals intelligence, including a new redress mechanism for complaints concerning U.S. signals intelligence activities. The following are some of the key takeaways:
  • The framework imposes obligations including purpose and storage limitations. 
  • Under the framework participating companies will be responsible to ensure continuity of specified protection when personal data is shared with third parties, through accountability measures and contractual provisions, like standard contractual clauses. 
  • The framework also limits U.S. intelligence agencies’ access to EU personal data to what is necessary and proportionate to protect national security.
  • Under the EU-U.S. DPF, intelligence agencies must make a determination, prior to collection, that bulk collection of intelligence is necessary to advance national security aims, and that it could not reasonably be obtained from targeted collection.
  • The framework provides EU data subjects with a mechanism to seek redress and appropriate remediation if their personal data is handled in violation of the EU-U.S. DPF.

For more on the obligations and safeguards included in the new framework you can review our blog post on this topic here.

The Adequacy Decision Process

Prior to final adoption, the draft decision will undergo an EU approval process, which includes obtaining a non-binding opinion from the European Data Protection Board and European Parliament. The steps may result in minor changes to the draft decision. The European Commission will also need to seek approval of the draft decision from a committee composed of representatives of EU Member States. Approval will require an affirmative response from at least 55% of countries, or 15 out of 27 member states.

Following approval by the EU Member States, the European Commission will formally adopt the final adequacy decision, which is expected roughly in June 2023. Once adopted, the adequacy decision will facilitate EU-U.S. data flow by allowing European companies to safely transfer personal data to participating companies in the US, without having to put in place additional safeguards. 

Expected Legal Challenges

The European Commission’s adequacy decision will likely be challenged in court. For example, EU activist Max Schrems has already publicly pledged to do so, citing his concerns over the alleged lack of specificity imposed by the language limiting public authorities access to signals intelligence, specifically pointing to the necessity and proportionality requirement. Proponents of the new framework are hopeful that the adequacy decision can withstand a challenge before the CJEU. For example, DG Justice Commissioner Didier Reynders, the EU’s chief negotiator of the EU-U.S. DPF, acknowledged, “I’m sure we’ll have to go back to the Court of Justice. I’m just hoping it’s possible to have a positive decision.”

We will continue to monitor changes in privacy law and its impact on trans-Atlantic digital trade.

 
 
 


Authors

More from this series