The European Commission has announced that the Trans-Atlantic Data Privacy Framework, a voluntary agreement ensuring the protection of EU data handled by US companies, is to be approved by EU member states.
In press release (opens in a new tab)EC stated that her draft adequacy decision (opens in a new tab) has been ‘published and forwarded’ to the European Data Protection Board (EDPB) for review, the first step towards full adoption.
The framework includes US companies that commit to respecting EU data in line with a number of well-established data protection principles, such as deleting data when it is no longer needed for the purposes for which it was collected and continuing to ensure Privacy when data is transferred to third parties.
Decisions of the EC on the adequacy of the US
An adequacy decision is a decision by the EU that another country or territory provides an equivalent level of protection for personal data, pursuant to Art. 45 sec. 3 of the General Data Protection Regulation (GDPR).
In this case, the EU is confident that US companies provide adequate protection for EU-sourced data they process, or will if they join this framework.
This latest adequacy decision is the result of groundwork developed by Joe Biden in an Executive Order (opens in a new tab) issued in October 2022 (a kind of presidential “decree”, which does not require approval by Congress, but is limited in scope to regulations affecting the functioning of the federal government) and regulations issued earlier by the US Attorney General Merrick Garland a year ago.
Together, these measures, according to the EC, tied the US obligations under domestic law. Some of the proposed measures are quite encouraging on paper.
The Executive Order requires, for example, that US intelligence access to European data be “necessary and proportionate” to protect national security, and that a Data Protection Review Court be established so that European citizens can challenge the use of their data if they believe it violates the .
However, there is no reason to celebrate yet. According to EU law, the EC must obtain the consent of the EU Member State Committee and then the European Parliament. However, the Commission does not seem to expect trouble, perhaps due to checks and balances within the intelligence agencies.
In 2016, a previous adequacy decision was also issued between the EU and the US for “EU-US Privacy Shield (opens in a new tab)”, which was also supposed to guarantee secure data flow between EU and US companies.
However, the decision was made annulled by the Court of Justice of the European Union (CJEU) in July 2020 lawsuit (opens in a new tab) with tech giant Meta, with concerns about U.S. intelligence agencies’ access to data.
This led to more than a year of negotiations between the EU and the US before announcement (opens in a new tab)new framework in March 2022