At the end of 2022, the European Commission published its draft adequacy decision on the EU-US transfers of personal data. The draft contains an assessment of the US legal framework around state surveillance. Once in place, EU data transfers to the US under the new Data Privacy Framework (“EU-US DPF”) will be free. However, there are still some steps to take.
What is the EU-US DPF?
Under the EU-US DPF, EU organizations will be able to transfer personal data from the EU to the US freely to the US recipient that has self-certified under the new EU-US DPF regime (similar to the previous and still existing Privacy Shield certification). No EU Standard Contractual Clauses will be required for transfers covered by the EU-US DPF certification.
What has changed in the US legal framework to allow adequacy?
The previous EU-US Privacy Shield was invalidated by the Court of Justice of the European Union in 2020 due to the lack of protection of EU personal data. According to the Commission, the new Executive Order of President Biden of 7 October 2022 (“EO”), binding on the US intelligence agencies, replaced and strengthened limitations to access EU personal data and introduced new redress mechanisms for data subjects.
Beyond the certification regime set up for US companies, the EU-US DPF envisages an acceptance of EU-standard privacy principles and of appropriate internal changes to policies by the US intelligence agencies.
US surveillance organisations have until 7 October 2023 to bring adopt policies and procedures in line with the EO. Once the updated policies and procedures are in place, the US Privacy and Civil Liberties Oversight Board (PCLOB) will conduct a review to ensure they are consistent with the EO. After completion of the review, each intelligence service has 180 days to consider and implement or otherwise address all PCLOB recommendations.
The Commission will review the adequacy decision, once adopted, regularly for effectiveness, the first review taking place within the first year of the adoption and then taking place every four years.
What are the next steps?
The EU Justice Commissioner Didier Reynders expects the adequacy decision to be finalised before July 2023. There are a few steps before that can happen. The European Data Protection Board will provide its non-binding opinion on the draft adequacy decision. Then a committee representing the Member States will need to approve the draft, as well as the European Parliament.
It is not clear how this prediction aligns with the 7 October 2023 deadline for the US intelligence agencies mentioned above. Given this deadline, it may well be that the adequacy decision comes into effect contingent on the US intelligence agencies having met their obligations set out in the EO.
The EU draft adequacy decision is a strong response to critical statements by some EU data protection authorities after the EO was published. The Commission argues the EU-US DPF is now based on a legal foundation that can take a stand in case of possible claims before the Court of Justice of the EU.
Read more in our latest Reed Smith Client Alert.