As U.S.-based companies await a decision by the European Union (EU) regarding data transfers, the European process for approving the EU-U.S. data privacy framework has progressed a step. The European Commission released a draft adequacy decision on December 13, 2022, approving the new EU-U.S. data privacy framework established in part by Executive Order (EO) 14086. The draft adequacy decision is the first step in the EU's adoption procedure. Until the framework is officially approved by the EU, companies transferring data across the Atlantic should continue to rely on standard contractual clauses (SCCs) and binding corporate rules (BCRs), supported by transfer impact assessments (TIAs). Companies should also begin preparations to become certified under the new framework if they intend to rely on it as a lawful transfer mechanism once it is officially adopted. The European Commission is expected to issue an official decision adopting the new framework sometime in the coming months.

Background

The European General Data Protection Regulation (GDPR) provides personal data protections and regulates the transfer of data from the EU to a third country. Businesses may transfer data to a third country using SCCs or BCRs, or by relying on an adequacy decision from the European Commission that finds a third country’s laws to provide an “adequate level of protection.”

In 2020, the Court of Justice of the European Union (CJEU) identified perceived deficiencies in U.S. surveillance law and, on that basis, invalidated the EU-U.S. data privacy framework in the Schrems II decision. Since then, businesses have relied on SCCs and BCRs, supported by TIAs, to lawfully transfer data from the EU to the United States.

On October 7, 2022, President Biden issued EO 14086, which addressed the perceived deficiencies in U.S. surveillance law identified by the CJEU in the Schrems II decision. The EO establishes new safeguards for personal data subject to U.S. signals intelligence activities and a two-tier redress mechanism that includes a new Data Protection Review Court (DPRC).

The European Commission reviewed U.S. law, including the new EO, and issued its draft adequacy decision approving the new EU-U.S. data privacy framework on December 13, 2022.

The Draft Adequacy Decision

The draft adequacy decision finds that, with the adoption of EO 14086 and related U.S. Department of Justice (DOJ) regulations that establish the DPRC, the United States “ensures an adequate level of protection for personal data transferred under the EU-U.S. [Data Protection Framework]” from an EU-based controller or processor to certified U.S.-based entities.

In reviewing the EO and its features, the European Commission used the standards laid out by the CJEU in Schrems I and Schrems II, which together require a third country to provide personal data with an “adequate level of protection,” limit interference with privacy rights to that which is necessary and proportional to meet a legitimate objective, and provide individuals with a remedy when their privacy rights are interfered with.

With respect to EU personal data transferred to the United States by businesses, the European Commission finds the United States provides an adequate level of protection through its EU-U.S. Data Privacy Framework Principles (Privacy Principles) issued by the U.S. Department of Commerce (DOC). A business must certify that it will adhere to these principles if it will transfer data to the United States on the basis of the adequacy decision.

The European Commission also finds that the United States adequately limits government interference with privacy rights to that which is strictly necessary to achieve a legitimate objective authorized by law. This finding is largely based on the new safeguards and limitations established by the new EO.

Finally, the European Commission finds that the United States provides sufficient oversight to detect interferences with privacy rights and redress mechanisms to remedy those interferences when they occur. The two-tiered redress mechanism established by the EO that includes the new DPRC played an essential role in this finding.

Immediate Impact

The draft adequacy decision does not make the new data privacy framework effective. It is only the initial step in the EU adoption procedure.

The European Commission formally presented the draft adequacy decision to the European Data Protection Board (EDPB) on January 17, 2023. The EDPB will issue its own opinion on the framework, and the European Parliament also has the option to issue a nonbinding position. Based on this feedback, the European Commission may then make revisions before submitting the decision for approval by EU member states. Once the decision is approved by EU member states, the European Commission can formally adopt a final adequacy decision on the transatlantic data privacy framework. The final decision is expected to be issued next spring.

Next Steps for U.S.-Based Companies

For now, companies should continue to rely on SCCs and BCRs, supported by TIAs, but also begin preparations to comply with the Privacy Principles if they intend to rely on the adequacy decision once it is finalized. Although a final adequacy decision making the framework effective is expected next spring, companies should keep their SCCs and BCRs handy. As we explained in our last Update, this framework is the third attempt to satisfy the CJEU, and we expect that it will be challenged as soon as it goes into effect.