The EC’s draft adequacy decision, which has been forwarded to the European Data Protection Board, concludes that the U.S. provides “an adequate level of protection.” For this historic agreement to work, companies would have to fulfill a set of “privacy obligations.” Also, U.S. government agencies must comply with stringent privacy regulations limiting their access. If the EU-U.S. Data Privacy Framework is adopted, it would close the book on the privacy debacle highlighted by the European Union’s Court of Justice in its July 2020 Schrems II decision. “We are now confident to move to the next step of the adoption procedure,” EU Justice Commissioner Didier Reynders said in a statement. “Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic.”
Compliance Requirements
The EU-U.S. Data Privacy Framework outlines several compliance requirements for U.S. companies, intelligence agencies, law enforcement, and the government. One of these conditions is that U.S. companies “delete personal data when it is no longer necessary for the purpose for which it was collected.” Also, companies must ensure the continuity of data protection measures when they share this data with third parties. The framework sets up ways for EU citizens to seek restitution if they feel their privacy has been violated. “EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel,” the Commission said. The newly created Data Protection Review Court will be tasked with investigating and resolving privacy breach complaints from Europeans. Furthermore, access to the personal data of EU citizens by U.S. public authorities will be restricted to what is “necessary and appropriate.” “European companies will be able to rely on these safeguards for trans-Atlantic data transfers, also when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules,” the Commission added.
Trans-Atlantic Data Flow
This draft decision has been years in the making, but there’s still a long way to go. Earlier this year, President Joe Biden and EC President von der Leyen announced a preliminary agreement for trans-Atlantic data flow. Now, the draft will be analyzed by the European Data Protection Board. Depending on the outcome, the Commission will proceed to seek the approval of EU member states. The EU parliament may also opt to scrutinize the draft. If all goes well, the Commission can finalize its adequacy decision and adopt the framework. Once it’s passed, the EU-U.S. Data Privacy Framework will be reviewed periodically. “The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively,” the Commission said. For more information about the EU’s stringent data protection law, read our insightful explainer on the GDPR.