Following President Biden’s Oct. 7, 2022 Executive Order on Enhancing Safeguards for United States Signals Intelligence, the European Commission concluded on Dec. 13, 2022 in a draft adequacy decision that the data privacy framework under the executive order ensures an adequate level of protection for personal data transferred from the European Union to the United States.
The adequacy decision is a tool under the General Data Protection Regulation (GDPR) to determine whether a non-EU country has an essentially equivalent level of data protection to that within the EU. A finding of adequacy enables data to flow freely from the EU to a non-EU country without additional safeguards. The newly released draft adequacy decision for the new EU-U.S. Privacy Framework is not yet adopted, and it is waiting for approval from the European Data Protection Board and a committee made of representatives of EU Member States.
In a recent announcement, the European Commission found the new framework to be a significant improvement from the former EU-U.S. privacy framework, the Privacy Shield. In the 2020 case commonly known as Schrems II, the Court of Justice of the European Union invalidated the Privacy Shield for failing to adequately protect EU citizens from the data collection activities of the U.S. intelligence community and for lacking an adequate redress mechanism for EU citizens when a privacy violation occurs. In response to the Schrems II decision, the new framework offers enhanced oversight of U.S. intelligence services to ensure compliance with limitations on surveillance activities, and a redress mechanism allowing EU individuals to lodge a complaint with a Civil Liberties Protection Officer and appeal adverse decisions at the newly established Data Protection Review Court.
Although the draft adequacy decision is awaiting approval, it is on strong footing and moves us one step closer towards final adoption. If the decision is adopted, U.S. companies will be able to certify its participation in the new data privacy framework and forego the use of the Standard Contractual Clauses. However, it is very likely that the adequacy decision approving the new framework will be subject to legal challenges. For now, companies that need to transfer data from the EU to the U.S. should continue using the Standard Contractual Clauses or another approved transfer mechanism.