A draft data adequacy decision in which the US ensures an adequate level of protection for personal data transferred from the EU to US companies has been created and could lead to the adoption of a workable framework.
The EU hopes the framework will improve the safety of transatlantic data flows and address concerns arising from the EU Court of Justice’s Schrems II decision of July 2020, which struck down the previous Privacy Shield arrangement.
Its decision follows the 7 October 2022 Executive Order signed by US president Joe Biden and the regulations issued by US attorney general Merrick Garland, which implemented in US law the agreement in principle agreed by Biden and EU president Ursula von der Leyen earlier this year.
The agreement saw the EU extract significant concessions from the Americans, including a commitment to expand oversight of the US’s signals intelligence operations, strengthen civil rights safeguards, and create a binding legal mechanism to give EU citizens rights of redress should their data be abused.
The draft decision reflects the EC’s assessment of the US legal framework and it will now be sent to the European Data Protection Board for its opinion. Following that, the EC will seek approval from a committee composed of EU member state representatives and offer the European Parliament the right to scrutinise adequacy decisions. It will then be able to proceed to adopting the final decision.
US companies will join the framework by committing to comply with the obligations it sets out, such as the requirement to delete personal data when it is no longer needed and ensure continuity of protection should it be shared further. EU citizens can access dispute resolution mechanisms and an arbitration panel at no cost to themselves, should a US organisation violate the framework.
At the same time, the US legal framework will offer limitations and safeguards regarding why, how and when US public authorities can access it if needed for law enforcement or national security purposes. This includes the rules introduced by Biden’s Executive Order and addresses the court’s concerns in the Schrems II judgment – access to EU data by intelligence agencies in the US will be limited to “necessary and proportionate” use, and EU citizens will again have the possibility to obtain redress regarding the collection and use of their data by US intelligence under an independent mechanism, including a newly created Data Protection Review Court, which will have the ability to issue binding remedial measures.