The European Commission has announced that a Trans-Atlantic Data Privacy Framework, a voluntary agreement placing protections on EU data dealt with by US companies, is set to be approved by EU member states.
In a press release (opens in new tab), the EC stated that its draft adequacy decision (opens in new tab) has been “published and transmitted” to the European Data Protection Board (EDPB) for review, the first stage leading to fully-fledged adoption.
The framework involves US companies promising to respect EU data according to a number of well-established data protection principles, such as deleting data when it is no longer necessary for the purpose it was collected, and continuing to ensure a level of privacy when data is passed to third parties.
The EC’s US adequacy decisions
An adequacy decision is a ruling by the EU stating that another country or territory is providing a level of personal data protection equivalent to itself, per article 45(3) of the General Data Protection Regulation (GDPR).
In this case, the EU is convinced that US companies are providing adequate protection for the data it handles from the EU, or will, if they join the framework.
This latest adequacy decision follows groundwork laid by Joe Biden in an Executive Order (opens in new tab) issued in October 2022 (a Presidential “decree”, as it were, that does not require Congress approval but is limited in scope to regulations that impact the operation of the federal government), and regulations issued by the US Attorney General Merrick Garland earlier this year.
Together, these measures, as per the EC, bound the US’ commitments into domestic law. Some of the proposed measures are, on paper, quite encouraging.
The Executive Order, for instance, requires that access to European data by US intelligence is ‘necessary and proportionate’ in the protection of national security, and that a Data Protection Review Court is established so that European citizens can challenge how their data has been used if they believe it violates the framework.
However, there’s no cause to celebrate quite yet. Per EU law, the EC must seek approval for the decision from a committee of EU member states, and then from the European Parliament. By the sounds of it, though, the Commission expects no trouble, perhaps because of the checks and balances targeting intelligence agencies.
In 2016, A previous adequacy decision between the EU and the US was also issued in relation to the “EU-U.S. Privacy Shield Framework (opens in new tab)”, which was also meant to guarantee safe passage of data between the EU and US companies.
However, the decision was invalidated by the Court of Justice of the European Union (CJEU) in a July 2020 court case (opens in new tab) involving the tech giant Meta, with concerns being raised about the access US intelligence agencies had to data.
This led to over a year of negotiations between the EU and US, before the announcement (opens in new tab)of a new framework in March 2022.
