International: European Commission publishes draft adequacy decision for EU-US data flows
The European Commission published, on 13 December 2022, its draft adequacy decision for the EU-US Data Privacy Framework, aimed at fostering safe data flows and addressing concerns raised by the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the Commission clarified that the draft adequacy decision follows its assessment of the US legal framework, which includes the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order') signed by President Joe Biden as well as regulations establishing a Data Protection Review Court, and would permit transfers of personal data between the EU and certified organisations in the US.
Notably, the draft adequacy decision determines that the US, through the EU-US Data Privacy Framework, provides comparable safeguards to those of the EU and ensures an adequate level of protection for personal data transferred from the EU to certified organisations in the US. Furthermore, the draft adequacy decision provides, among other things, that:
- effective application of the EU-U.S. Data Privacy Framework Principles is guaranteed by transparency obligations and the administration of the EU-US Data Privacy Framework by the Department of Commerce;
- the oversight mechanisms and redress avenues in US law enable infringements of the data protection rules to be identified and punished in practice, and offer legal remedies to data subjects; and
- any interference in the public interest, in particular for criminal law enforcement and national security purposes, by US public authorities, with the fundamental rights of data subjects, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.
In relation to certification, the Commission outlined that US companies will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations, including the requirement to delete personal data when it is no longer necessary for the purpose of its collection and to ensure continuity of protection when personal data is shared with third parties. In addition, the Commission noted that there will be several redress avenues for EU citizens, including independent dispute resolution mechanisms and an arbitration panel.
Simultaneously, the Commission published Questions and Answers ('Q&As') on the draft adequacy decision, which state that the new redress mechanism shows significant improvements compared to the previous Privacy Shield Ombudsperson, including the ability for EU individuals to lodge complaints with the Civil Liberties Protection Officer and appeal decisions.
The draft adequacy decision has been sent to the European Data Protection Board ('EDPB') for its opinion. Following this, the Commission will seek approval from a committee composed of representatives of the EU Member States. Notably, the European Parliament will also have the right to review the adequacy decision. Thereafter, once this procedure is completed, the Commission will then be able to proceed with adopting the final adequacy decision.