EU-U.S. Data Privacy Framework—Draft Adequacy Decision by the European Commission: The Long-Awaited Replacement of the Privacy Shield?

The European Commission launched the formal process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework on December 13, 2022. The framework will replace the Privacy Shield, which was invalidated by the Court of Justice of the European Union’s (“CJEU”) Schrems II ruling on July 16, 2020 (CJEU C-311/18, discussed in this client alert). The draft adequacy decision aims to foster transatlantic data flows and to address the concerns raised in Schrems II. The draft adequacy decision is therefore important for businesses on both sides of the Atlantic.

An adequacy decision is a formal decision by the European Commission which recognizes a comparable level of personal data protection to that of the European Union in a non-EU country, territory, or international organization. As a result of such decision, personal data can flow freely and safely from the European Economic Area (“EEA”) to that recognized location without being subject to any further conditions or authorizations.

The EU’s proposal to launch a formal process to adopt an adequacy decision follows President Biden’s decision to sign an Executive Order in October 2022 which introduced new binding safeguards that address concerns raised in Schrems II. In Schrems II, the CJEU held that the U.S. Privacy Shield did not provide protection that was “essentially equivalent” to that of the EU because EU residents did not have effective remedies for privacy violations and because U.S. intelligence agencies had access to the data that was too-broad. As a reaction to invalidating the Privacy Shield, the Executive Order now imposes limitations and safeguards on access to data by U.S. intelligence agencies and establishes an independent and impartial redress mechanism.

President Biden’s Executive Order forms an essential element of the draft adequacy decision and the European Commission’s assessment that the U.S. legal framework now ensures an adequate level of protection of personal data transferred from EU organizations to U.S. certified organizations.

More specifically, the European Commission considers that:

• The EU-U.S. Data Privacy Framework Principles, including the Supplemental Principles, issued by the U.S. Department of Commerce (“Principles”, see annex I of the draft adequacy decision) ensures effective protection that is essentially equivalent to the protection guaranteed by the GDPR;
• The effective application of the Principles is guaranteed by transparency obligations and the administration of the EU-U.S. Data Privacy Framework by the U.S. Department of Commerce;
• The oversight mechanisms and redress avenues in U.S. law enable infringements of data protection rules to be identified and punished in practice and offer legal remedies to data subjects (including EU residents) to exercise their data subject rights; and that
• Any interference in the public interest by U.S. public authorities, particularly for criminal law enforcement and national security purposes with the fundamental rights of data subjects will be limited to what is necessary and proportionate to protect national security, and that effective legal protection against such interference exists.

To benefit from the draft adequacy decision, U.S. companies will have to certify that they are participating in the EU-U.S. Data Privacy Framework on an annual basis.

The draft adequacy decision will now be reviewed by the European Data Protection Board, and by a committee composed of representatives of EU Member States under the comitology procedure. The European Parliament also has a right to scrutinize the draft adequacy decision and may do so. The European Commission can adopt the final version of the adequacy decision only after all these stakeholders have given a green light to the draft. Once the final decision is published, which is not expected before spring 2023, European companies will be able to rely on this framework for sharing data with certified companies in the U.S.

One final note: an adequacy decision is not the only mechanism to legitimize international data transfers. Companies can still rely on other transfer tools for transfers to the U.S., such as the standard contractual clauses for international data transfers adopted by the European Commission last year. The European Commission emphasizes that the safeguards that the U.S. Government has put in place in the Executive Order, namely the limitations and safeguards to data accessed by U.S. intelligence agencies will be available for all EU-transfers to U.S. organizations, regardless of the mechanism used for the specific transfer. Companies relying on the standard contractual clauses for their international transfers to the U.S. will consequently benefit from these provisions as well.

Crowell and Moring will continue to follow developments on these issues and provide ongoing updates.