The European Commission has announced that EU member states are expected to approve a Transatlantic Data Privacy Framework, a voluntary agreement that grants protection to EU data processed by US companies.
In a press release (opens in a new tab), the EC said its draft adequacy decision (opens in a new tab) has been "published and sent" to the European Data Protection Board (EDPB). for your consideration, the first step leading to – full adoption.
The framework requires US companies to commit to respecting EU data in accordance with a number of well-established data protection principles, such as deleting data when it is no longer needed for the purposes for which it was collected and maintaining a some level of confidentiality. when the data is transferred to third parties.
EC adequacy decisions in the United States
An adequacy decision is a decision by the EU that another country or territory provides an equivalent level of personal data protection to yours, pursuant to Article 45(3) of the General Data Protection Regulation (GDPR).
In this case, the EU relies on US companies to provide adequate protection for the data it processes from the EU, or will do so if they join the framework.
This latest adequacy decision follows the groundwork laid out by Joe Biden in an Executive Order (opens in a new tab) issued in October 2022 (a Presidential “Executive Order,” if you will, that does not require congressional approval). , but whose scope is limited to regulations that affect the operation of the federal government) and regulations issued by US Attorney General Merrick Garland earlier this year.
Together, these measures, according to the EC, consolidated the US commitments in domestic law. Some of the proposed measures are, on paper, quite encouraging.
The executive order, for example, requires that access to European data by US intelligence services be "necessary and proportionate" in the protection of national security, and that a review tribunal be established data protection so that EU citizens can challenge how their data has been used if they believe it violates the framework.
However, there is still nothing to rejoice about. According to EU law, the EC must seek approval of the decision from a committee of EU member states and then from the European Parliament. However, at first sight, the Commission does not expect any problems, perhaps due to the checks and balances directed at the intelligence agencies.
In 2016, an earlier EU-US adequacy decision was also issued. with respect to the “EU-US Privacy Shield Framework”. (opens in a new window)”, which was also intended to ensure the secure passage of data between EU and US companies.
However, the ruling was overturned by the European Court of Justice (CJEU) in a July 2020 court case (opens in a new tab) involving tech giant Meta, with concerns about access by news agencies. American intelligence to the data.
This led to more than a year of negotiations between the EU and the US, before the announcement (opens in a new tab) of a new framework in March 2022.