Land in sight? – European Commission publishes draft adequacy decision for new EU-US Data Privacy Framework
On 13 December 2022, the European Commission published a draft adequacy decision on the transfer of personal data to the US on the basis of the new EU-US Data Privacy Framework.
In its adequacy decision, the European Commission comes to the finding that under the new EU-US Data Privacy Framework an adequate level of protection for the processing of personal data exists in the US. This means that once the adequacy decision has been adopted, transferring personal data to the US will be permitted under the new EU-US Data Privacy Framework without any further measures for transfers to third countries or official authorisations being required.
Background: Schrems II judgment of the CJEU, new Transatlantic Data Privacy Framework and US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities
In a striking decision issued in the Schrems II case on 16 July 2020, the European Court of Justice (CJEU) declared the European Commission’s implementing decision on the EU-US Privacy Shield invalid, without even providing a transition period, thus dealing a bitter blow to transatlantic transfers of data.
On 25 March 2022, the European Commission and the US published a joint statement on a new “Trans-Atlantic Data Privacy Framework”. In this statement they announced that the successor to the EU-US Privacy Shield, which had been found invalid by the CJEU, should also address the concerns raised by the CJEU in Schrems II. On 7 October 2022, US President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which is intended to implement the agreements with the European Commission on the new Trans-Atlantic Data Privacy Framework in US law. On the same day, the European Commission subsequently announced that it would be taking steps to prepare an adequacy decision for the new EU-US Data Privacy Framework and launching the procedure for its adoption on this basis.
Further steps to adopt the adequacy decision and outlook
The European Commission has already submitted the now published draft adequacy decision on the new EU-US Data Privacy Framework to the European Data Protection Board (EDPB) for its opinion. The European Commission then still has to obtain the green light from a committee consisting of representatives of the EU Member States. In addition to this, the European Parliament also has a right of scrutiny over adequacy decisions. Once these procedures have been completed, the European Commission will be able to adopt the adequacy decision.
At the moment, it is not possible to predict when the adequacy decision announced by the European Commission will actually enter into force. The Commission itself has not yet officially announced a specific date. It is likely that the decision will be adopted in the first quarter of 2023.
While it is not surprising that the new EU-US Data Privacy Framework has already attracted some harsh criticism, the European Commission is convinced its new adequacy decision will withstand a new review by the CJEU. We can expect the new adequacy decision to also come before the CJEU sooner or later. At least for the time being, however, companies will be able to base data transfers to the US on the European Commission’s new adequacy decision.
So land is now in sight for the transatlantic transfers of data that have been affected by Schrems II, at least in the medium term. Nevertheless, it is essential to continue reviewing all the risks of international data transfers in companies as set out in the comprehensive transfer impact assessments (TIA) recommended by the EDPB – not least considering the accountability under data protection law – and to take steps to deal with any risks where appropriate.
Otherwise, until the adequacy decision has been finally adopted it is still necessary to carry on taking appropriate safeguards (at least as an interim solution) for data transfers to the US, for instance to applying the new standard contractual clauses introduced by the European Commission in 2021. As the transition period for the European Commission’s old standard contractual clauses from 2001 and 2010 ends on 27 December 2022, despite all the euphoria about the adequacy decision on the EU-US Data Privacy Framework that is just around the corner, companies may have no choice but to amend existing contracts containing old standard contractual clauses at short notice.
Any questions? Please contact: Sebastian Dienst or Mirjam Lück
Practice group: Data Privacy