General Data Protection Regulation (GDPR) provides additional rules regarding data transferring outside the European Union. Data controllers and processors may transfer data abroad to countries that are expected to have an adequate level of data protection equivalent to the EU. In other cases, such transfer is subject to additional safeguards, for example, concluding a data processing agreement (DPA) with standard contractual clauses (SCC) included, which were developed by the European Commission.
At first, the USA was one of the countries treated as providing adequate data protection. However, after the Schrems II decision, data transfers to the US using EU-U.S. Privacy Shield were forbidden, and from that point, the companies had to implement additional safeguards to such transfers, namely, to conclude DPAs with SCC and to perform a Transfer Impact Assessment (TIA) that assess how easily US intelligence agencies may have access to personal data transferred to the US.
After the Schrems II decision, the European Commission and the US government entered into discussions on a new framework that addressed the issues the Court of Justice raised in its decision.
In March 2022, a new agreement was announced after intense negotiations between the stakeholders.
In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’.
Together, these two instruments implemented necessary provisions and US commitments into US law. On this basis, the European Commission is now proposing a draft adequacy decision on the EU-U.S. Data Privacy Framework.
Content of the draft
There will be additional obligations that U.S. companies shall take to join the EU-U.S. Data Privacy Framework, namely, compliance with basic principles of GDPR as data integrity, purpose limitation that require companies to delete data that they no longer need for the purpose such data was collected or ensuring that other processor to which they share personal data also comply with the required data protection rules, etc. Basically, all GDPR rules will be applicable to the U.S. companies processing the personal data of Europeans: data processing principles, security measures, data subject requests, data transfers, and some additional obligations.
Indeed, as the main reason for the cancellation of the EU-U.S. Privacy Shield was the access to personal data by U.S. public authorities, there will be additional limitations and safeguards regarding criminal law enforcement and national security, such as:
- US intelligence agencies will be able to access data of Europeans only to the limit of what is necessary and proportionate to protect national security and in accordance with a strict procedure described in the draft based on an exhaustive list of legal grounds for such access;
- EU individuals will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
European companies will be able to rely on these safeguards for trans-Atlantic data transfers, and also, they can use other transfer mechanisms, such as standard contractual clauses and binding corporate rules.
When to expect the final draft?
Now, the draft will go through its adoption procedure, which contains the following steps:
- The Commission submits its draft decision to the European Data Protection Board (EDPB).
- Then, the Commission shall seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right to scrutiny over adequacy decisions.
- Once the mentioned steps are completed, the Commission can proceed to adopting the final adequacy decision.
The EU-U.S. Data Privacy Framework will be periodically reviewed by the European Commission, together with European data protection authorities and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.
All in all, companies working with the US and transferring data to this country should track the updates and changes regarding this draft law, as it may impose new obligations on you. On the other side, there is a space for new opportunities for companies that were afraid to transfer data to the US, so it’s better to follow this issue, too J You may find the full text of the draft law via the link.