EU makes next move on EU-US data flow by finding agreement adequate
The European Commission has published its draft adequacy decision for data protection in EU-U.S. data flows, including specific safeguards for special categories such as biometric data.
The decision concludes that the EC finds the U.S. legal framework provides comparable safeguards as those of the EU, an “adequate level of protection.”
Tuesday’s launch of the process to adopt the EU-U.S. adequacy decision follows U.S. President Joe Biden’s signing of an executive order in October on ‘Enhancing Safeguards for United States Signals Intelligence Activities,’ agreeing to new rules for the interception of EU citizens’ private information by U.S. spy agencies. This followed the EU-U.S. agreement in principle signed in March 2022.
The draft decision (PDF, 134 pages of text and annexes) will now be send to the European Data Protection Board (EDPB) for its opinion, then approval from member states. Once in place it will mean European entities can transfer personal data to participation companies in the U.S. without the need for further safeguards.
Participation in the EU-U.S. Data Privacy Framework will require U.S. companies to comply with detailed privacy regulations. These cover personal data deletion when no longer necessary for the purpose for which it was originally collected.
Special categories of personal data are those considered sensitive under EU data protection law, including biometrics. They will have to be treated as such by certified organizations.
The counterpart U.S. legal framework includes limitations and safeguard covering issues such as what access U.S. public authorities have to the data in areas such as criminal law enforcement and national security.
The adoption process will also address concerns raised by the 2020 Schrems II decision by the Court of Justice of the European Union (CJEU) to limit US intelligence agencies to only European data that is necessary and proportionate to protecting national security. It struck down the previous data-transfer agreement known as the Privacy Shield.
It also gave EU individuals the possibility to gain independent redress over collection and use of their data by U.S. intelligence agencies, including via the newly-created Data Protection Review Court.
In 2021 the EC adopted two sets of standard contractual clauses (SCCs) which facilitated transfers of personal data from the EU to countries with which the bloc did not have an adequacy decision.
EU Justice Commissioner Didier Reynders told Politico that he would give the pact a “seven or eight out of 10” chance of withstanding a legal challenge, an event he considers inevitable.