European Commission approves new framework for EU-US data flows

Published today, the draft decision concludes that the new agreement, agreed in principle by the European Union (EU) and US in March 2022, will ensure an adequate level of protection for personal data transferred from the EU to the US.

The positive decision comes after years of negotiation following the Schrems II ruling by the Court of Justice of the European Union (CJEU) in July 2020, which invalidated the Privacy Shield mechanism used by organisations to facilitate transatlantic data flows.

Earlier this year, an Executive Order was signed by President Biden, outlining commitments the US would take to address the concerns raised by Schrems II. These include new obligations and safeguards for US Intelligence Services’ access and use of personal data, as well as detailed requirements for US companies joining the EU-U.S. Data Privacy Framework to comply with, such as facilitating avenues for individuals to seek redress.

In its decision, the European Commission (EC) itself states that its assessment does not seek a "point to point replication of Union rules," but rather that "the foreign system as a whole delivers the required level of protection," which deems it "essentially equivalent" to that ensured within the EU. 

This is a widely welcomed development which will provide businesses of all sizes the legal certainty they need to transfer data between the two regions in order to innovate, enter new markets, and deliver basic services.

 

A long road ahead

However, the EC's positive decision is one step in a much longer process to formally adopt an adequacy decision with the US. The draft adequacy decision will be submitted to both the European Data Protection Board (EDPB), and a committee made up of representatives of EU Member States. The European Parliament can also weigh-in on the decision, given its right of scrutiny over adequacy decisions.

Once functioning, the EU-US Data Privacy Framework will be subject to periodic reviews, carried out by the EC, EDPB and competent US authorities. The first review will take place within one year after the framework comes into force, to ensure appropriate implementation and operation.

Despite the EC’s positive review, the new agreement will also need to withstand scrutiny by privacy activists, whose complaints struck down the former Privacy Shield, and Safe Harbour mechanism, which came before the EU-U.S. Data Privacy Framework.

Speaking at an event earlier this week, hosted by POLITICO, EU Justice Commissioner, Didier Reyners said the new EU-US pact has a "seven or eight out of ten chance" of weathering a legal challenge. It is expected that the new deal will go back to the CJEU for review. Max Schrems, the Austrian privacy campaigner who first called the former EU-US data sharing frameworks into question, has already made clear that he intends to challenge the newest pact.

 

Where does that leave the UK?

Today’s announcements mark a positive step for the UK Government, which is in the process of conducting its own speedy assessment of the Executive Order in order to secure an adequacy decision for UK-US data sharing, as announced earlier this year in a UK-US joint statement.

A positive adequacy decision for EU-US data sharing will provide the legal and political certainty needed to ensure that the EU’s data sharing agreement with the UK will remain intact, while the UK pushes ahead with determining an adequacy decision for UK-US data flows.

Until then, businesses across all sides of the Atlantic will no doubt closely follow developments in this area, and urge decision-makers to work at speed.

 


 

Related topics