On July 10, the European Commission (EC) published its data adequacy decision for the new EU-U.S. Data Privacy Framework (EU-U.S. DPF). This means that companies can transfer personal data from EU countries and from Iceland, Liechtenstein and Norway to U.S. organizations participating in the EU-U.S. DPF consistent with EU law. It is also expected that the adequacy decision will facilitate transfers through other EU legal mechanisms, including Standard Contractual Clauses and Binding Corporate Rules.
Previous adequacy decisions for the transfer of personal data from the EU to the US were struck down by the Court of Justice of the European Union (CJEU), in decisions known as Schrems I and Schrems II. Most recently, in the Schrems II decision, the EU judges expressed continued concerns about the relatively easy access to European personal data by US intelligence agencies.
In response, last October, US President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) to address these concerns.
After EO 14086 was issued, the European Commission began the formal process for adopting an adequacy decision on this new EU-US Data Privacy Framework which resulted in the announcement on July 10.
EO 14086 sets forth a self-certification program similar to its predecessors known as the “Safe Harbor” and the “Privacy Shield”, but with stronger safeguards for certain US intelligence activities regarding European personal data, as well as an independent redress mechanism which includes a new Civil Liberties Protection Officer of the Office of the Director of National Intelligence and a new Privacy and Civil Liberties Oversight Board.
The strengthened safeguards include putting US intelligence services under the supervision of a Privacy and Civil Liberties Oversight Board, which will have access to all relevant documents, including classified information. Earlier this month, the US Commerce Secretary announced that the Office of the Director of National Intelligence has confirmed that the U.S. Intelligence Community has adopted policies and procedures pursuant to EO 14086.
In the coming days, US companies will be able to undergo the EU-U.S. DPF self-certification process on the US Commerce Department’s website. Once certified, companies will be able to import personal data from the EU and EEA into the U.S. without the need to rely on another data transfer mechanism, such as Standard Contractual Clauses (SCCs).
This latest data adequacy decision will be reviewed by the European Commission at least annually. In addition, the European privacy regulators will monitor how the redress mechanism works in practice. This third attempt on an adequacy decision for US/EU data transfers is bound to face a legal challenge from Austrian activist Max Schrems, who has already expressed reservations about the redress mechanism, which while strengthened, still operates under the executive branch of the US government and thus is not fully independent.