There has been a very recent stir in the EU-US relations regarding the flow of personal data across the Atlantic. After reaching a cornerstone agreement on a new Transatlantic Data Privacy Framework (“TADPF”) back in March this year (you can recall our review of the matter here), the two Parties are yet another step closer to securing the free data flows between themselves.
What is new?
On 13 December, the European Commission (the “EC”) has adopted a draft adequacy decision which concludes that the US ensures an adequate level of protection for personal data transferred from the EU to the US. This step comes after the signing of an Executive Order by the American president Biden in October, by virtue of which the TADPF was implemented into the US law (our brief input on this topic can be found here).
What is an adequacy decision?
An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries which, according to the EC, offer a comparable level of protection of personal data to that of the EU. Adequacy decisions are the legal basis on which personal data can be transferred freely and safely to third countries without any further conditions or authorisations. In other words, transfers to third countries can be handled in the same way as transfers within the European Economic Area. US companies that participate in the TADPF will be required to comply with a detailed set of privacy obligations (such as purpose limitation, data retention, data security and data sharing requirements).
What comes next?
An adequacy decision has yet to be adopted. The EC has only proposed a draft, which has been transmitted to the European Data Protection Board for its opinion. After that, the EC will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Only after that, the EC can adopt the final adequacy decision, which would allow data to flow freely and safely between the EU and US companies certified by the US Department of Commerce under the new TADPF.
Until the adoption of a final adequacy decision, the companies cannot rely on the draft decision as a legal instrument for free and secure data transfers from the EU to the US. Up to then, the companies can use other transfer mechanisms such as standard contractual clauses and binding corporate rules.
For further information contact:
Mileslava Bogdanova – Misheva, Senior Associate
Simona Mokreva, Associate