Home Knowledge Christmas comes early for EU-US Data Transfers

Legal Practitioner and Client Costs – 97% of Costs Awarded by Legal Costs Adjudicator

December 18, 2022
Senior Associate
Rachel Hayes
Partner
John O’Connor

On 13 December 2022, the European Commission gave the green light to a new EU-US data transfer legal framework by publishing its draft decision on US adequacy for EU-US data transfers (“Draft Decision”).

If confirmed by EU institutions, the Draft Decision will pave the way for organisations to transfer personal data from the EU to the United States of America (US) under an alternative transfer mechanism to be known as the EU-US Data Privacy Framework (“DPF”).

The Draft Decision is a positive development for EU-US data transfers after a prolonged state of limitations on personal data transfers to the US since the invalidation of the EU-US Privacy Shield in the Schrems II Court of Justice decision in July 2020 (see our previous analysis here). While the Draft Decision potentially means a future US adequacy decision will be forthcoming in the near term, in the meantime organisations must continue to rely on other transfer mechanisms, such as the EU standard contractual clauses.

The DPF meets the standard of “essential Equivalence”

The Draft Decision confirms that the DPF meets the “essential equivalence” standard, as set down in the Schrems II decision. It is the first milestone towards the new DPF being approved as a transfer mechanism under the General Data Protection Regulation (GDPR), allowing for the free flow of personal data from the EU to the US where the ‘data importing’ US organisation is (re-)certified under the DPF.

In the Draft Decision, the European Commission makes it clear that “essential equivalence” does “not require finding an identical level of protection” in a third country, nor does it require “point-to-point replication” of the GDPR’s rules. Instead, the test for adequacy is: “whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection”.

The Draft Decision outlines that President Biden’s Executive Order (EO), and the Regulation on the Data Protection Review Court issued by the US Attorney General (AG Regulation) are the key components of the DPF resulting in a determination of “essential equivalence” for the US.

Key features of the Draft Decision

The key features are the Draft Decision are:

  1. Privacy principles: The DPF’s privacy principles (established by the US Department of Commerce) are the same as those of its predecessor, the EU-US Privacy Shield, but reflect aspects of the GDPR.
  2. (Re-) Certification for US organisations: US organisations will be able to avail of the DPF by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. It is also possible for US organisations that maintained their Privacy Shield certification to re-certify under the DPF.
  3. Necessity of any interference: In response to one of the issues identified by the Court in Schrems II, the European Commission has confirmed that based on the available information about the EO and AG Regulation, any interference in the public interest (i.e. national security purposes) by US public authorities with the fundamental rights of data subjects whose data are transferred to the US under the DPF, will be limited to what is strictly necessary to achieve the legitimate objective of that access.
  4. Monitoring mechanism: a monitoring mechanism whereby US authorities are required to inform the European Commission of material developments in the EO which impact on the DPF and any evolution in practices related to the processing of personal data under the DPF.
  5. Review mechanism: in applying Article 45(3) of the GDPR, the European Commission will review the adequacy finding to ensure essential equivalence still stands after one-year post implementation. Following this, periodic reviews will take place every four years. The review will be in the form of a public report submitted to the European Parliament and the Council.

Next steps: it is over to EU institutions

The Draft Decision will now be scrutinised by EU institutions for approval, as part of the European Commission’s comitology procedure. If approved, the Draft Decision will be confirmed in early 2023. The first EU institution that will review the Draft Decision is the European Data Protection Board, which will give a non-legally binding but influential opinion on the Draft Decision.

What should organisations do in the meantime?

While the Draft Decision is a welcome development, organisations must continue to rely on the GDPR’s other transfer mechanisms (such as the standard contractual clauses) until the Draft Decision is confirmed (or not approved) and the DPF is fully operational.

Contributed by Róisín Culligan

Related Practice Areas
Data Protection & Privacy
Related Sectors
Technology, Data & Comms

Recommended Insights

See all
Article and Insights
11
Apr 2024
Stricter Rules for the GDPR’s One-Stop-Shop?
The EDPB, in its new opinion, looks at the criteria to be fulfilled for a controll...
WF_author_blank
Partner
John O’Connor
Article and Insights
12
Mar 2024
Food, Beverage & Agribusiness Podcast – Data Protection & Cyber Security
In this episode Laura considers how these issues have become an increasingly criti...
WF_author_blank
Associate
Laura Casey
Article and Insights
26
Jan 2024
Data Protection Day: Expectations for 2024 & 2023 Look Back
William Fry is celebrating the Council of Europe’s annual Data Protection Day toda...
WF_author_blank
Partner
Leo Moore
Article and Insights
21
Nov 2023
DSARs: Motive and a Coordinated Action
DSARs: motive is not a relevant factor to Europe's highest court and regulators wi...
WF_author_blank
Partner
David Cullen
Article and Insights
13
Nov 2023
The Art of Staying Anonymous: Game-Changing Decision for Data Anonymisation
A recent European court decision has shifted the goalposts on the standard of data...
WF_author_blank
Partner
Leo Moore
Article and Insights
8
Sep 2023
AdTech Update: CJEU Landmark Data Protection Ruling for Online and Behavioural Advertising
The CJEU has handed down a landmark ruling that clarifies what legal bases control...
WF_author_blank
Partner
Leo Moore
Article and Insights
14
Jul 2023
Sharing is Caring: The Financial Data Access Regulation
We look at the European Commission's new proposal for a framework to manage the sh...
WF_author_blank
Partner
John O’Connor
Article and Insights
12
Jul 2023
Irish Circuit Court Values Non-Material Damage Data Protection Claim
First award of damages in a data subject claim given by an Irish Court.
WF_author_blank
Senior Associate
Adele Hall
Article and Insights
11
Jul 2023
Third Time Lucky? European Commission Adopts Adequacy Decision for EU-US Transfers
Trans-Atlantic businesses breathe a welcome sigh of relief as Didier Reynders, Com...
WF_author_blank
Senior Associate
Rachel Hayes
Article and Insights
29
Jun 2023
Green Light for EU-US Transfers? Adequacy Decision for USA is in Sight
Green light for EU-US transfers? Meta appeal against DPC Decision remains on hold ...
WF_author_blank
Senior Associate
Rachel Hayes
prev
next
See all