EU-US draft adequacy decision now published

Following the signature of a US Executive Order by President Biden on 7 October 2022 (the "Executive Order"), on 13 December 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (the "Draft Adequacy Decision"). The Draft Adequacy Decision has now been transmitted to the European Data Protection Board ("EDPB") for its opinion.

The Draft Adequacy Decision reflects the conclusion of the European Commission that the US legal framework provides comparable safeguards to those of the EU, and ensures an adequate level of protection for personal data transferred from the EU to organisations in the US that are signed up to the EU-U.S. Data Privacy Framework (the "Framework").  Notably, as a result of the Executive Order, the US legal framework now provides several limitations regarding the access of data by US public authorities, in particular for criminal law enforcement and national security purposes.

As a reminder US companies will be able to self-certify to the US Department of Commerce on an annual basis to declare their commitment to comply with a detailed set of privacy obligations, referred to as the 'EU-U.S. Data Privacy Framework Principles' (the "Principles"). These Principles include, for example, ensuring that personal information is limited to what is relevant for the purposes of the processing; deleting personal data when it is no longer necessary for the purpose for which it was collected; and providing effective and readily available independent recourse for individuals who are affected by non-compliance, allowing complaints and disputes to be investigated and resolved expeditiously at no cost to the individual.

Next steps

The Draft Adequacy Decision will now go through its adoption procedure. Following the opinion given by EDPB, the European Commission will seek approval from a committee composed of representatives of the EU Member States. Meanwhile, the European Parliament has a right to review the adequacy decision. Once this procedure is completed, if the draft is approved, then the European Commission will then be able to proceed with adopting the final adequacy decision. After the adequacy decision is adopted, EU companies will be able to transfer personal data to US companies that are certified under the Framework without having to put in place additional data protection safeguards.

Keep a look out for a more in-depth review of the Principles, and further updates on the progress of the Draft Adequacy Decision, in the New Year. Please get in touch in the meantime if you need any legal advice on your international data transfers, including to the US.

To read more about the Executive Order, please see our October blog post here.