New EU-U.S. Adequacy Decision Draft: Advantages and Key Aspects
EU and U.S. Data Transfer Agreement
9 January 2023
An adequacy decision is a formal decision of the European Commission recognizing that a country outside the EU provides an essentially equivalent level of data protection to that within the European Economic Area (EEA). There is no time limitation, however, the European Commission continuously monitors developments in countries and international organizations that could affect its decision. Learn more about the European Commission’s role here. These decisions can be renewed every 4 years.
Conversely, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation. The main advantage of obtaining the formal decision of adequacy, is having the permission to transfer data without further conditions or authorizations from the EU to that third country. In other words, transfers to the third country which received an adequacy decision will be assimilated to intra-EU transmissions of data.
The EU Commission launched the process regarding the adoption of an adequacy decision for EU-U.S.
How the adequacy decision for United States will improve data transfers between EU and U.S.?
The current framework for cross border access to health data initially collected for a completely different purpose (secondary use of data) in the context of international scientific research is highly fragmented due to several national specificities.
This fragmentation originates from a provision of the GDPR granting MS the ability to adopt stricter laws regarding the processing of health data.
The lack of a common definition at EU level of what is considered “secondary use” of data increases the ability of MS to establish different frameworks. A study carried out under the TEHDAS (Towards the European Health Data Space project on barriers to cross-border sharing of health data for secondary use points out that this difficult demarcation between primary and secondary use of data makes it more complex to delimit what the data subject has really consented to during the initial research, when the initial research was based on his consent.
The adequacy decision on EU-U.S. under the name of “Privacy Shield” was adopted on July 12, 2016. In 2020, this decision was invalidated by the EU Court of Justice due to the limitations of personal data protection provided by the U.S. domestic law and due to the U.S. public authorities level of access to the personal data transferred to EU. It was concluded that the provisions in U.S. law do not comply with the requirements of those provided by the EU law. Until the adoption of an adequacy decision, the EU Court of Justice enforced the use of the Standard Contractual Clauses (SCCs) for all organizations which transfer personal data between EU-U.S. to ensure an adequate protection of data transfers.
After the Schrems II judgement, the EU Commission performed a thorough analysis of the EU-U.S. data transfers to ensure that the process protects the citizens’ privacy. To that end, the EU Commission began discussing a new adequacy decision with the U.S. government that would be aligned with the Article 45(2) of Regulation (EU) 2016/679 requirements in order to have a legal, free and safe data transfer framework between both territories. The new draft will replace the “Privacy Shield”; an Executive Order “Enhancing Safeguards for United States Signals Intelligence Activities” was signed by President Biden inn October 2022. The draft of adequacy decision was recently submitted to the European Data Protection Board (EDPB).
What does the EU-U.S. adequacy decision draft specify?
The new draft for adequacy decision was made public for consultation on December 13, 2022. It states under Chapter 1. (7) and (8) the assurance of a careful analysis by the EU Commission of the US law and practice and the conclusions of the EU Commission are that the US ensures an adequate level of transferring personal data between EU-U.S. Moreover, the decision highlights the assurance of having “the effect that personal data transfers from controllers and processors in the (European) Union to certified organisations in the United States may take place without the need to obtain any further authorisation.” (Draft adequacy decision on EU-US, (8), page 3).
With respect to the certified organizations, Chapter 2. (2.1.1.) underlines that the Data Privacy Framework (DPF) is “based on a system of certification by which U.S. organizations commit to a set of privacy principles”. For a U.S. organisation to be eligible for this type of certification, it has “to be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S.? Department of Transportation (DoT)”.
The role qualifications are defined in the DPF to be applicable to U.S. organizations that have certified their adherence to the DPF Principles. The DPF applies to U.S. organizations which are qualified as Controllers or Processors. It is important to note that U.S. Processors “must be contractually bound to act only on the instructions of EU Controller and assist the latter in responding to individuals exercising their rights under the DPF Principles.” (Ch. 2.1, (12)).
EU-U.S. Data Privacy Principles (e.g. purpose of limitation, processing special categories of personal data) are drafted in a clear manner. The draft specifies that “any data considered sensitive in the EU data protection law (including sexual orientation, genetic and biometric data) will also be treated as sensitive data under EU-US DPF by the certified organizations”.
Individual rights are drafted more accurately and specifically. In particular, the automated decision issue was addressed. In 2018, the EU Commission, while performing the secondary annual review of the “Privacy Shield”, found that the U.S. do not have sufficient evidence for the automated decision to be normally performed. To address this issue, the new draft guarantees to have a set of specific safeguards for protection against adverse decisions. Such safeguards are related to credit lending (i.e. Fair Credit Reporting Act and Equal Credit Opportunity Act), employment and insurance (i.e. for health information – HIPAA privacy rules) (Ch. 2.2, (33) and (35).
What are the next steps for the EU-U.S. adequacy decision to be approved?
Based on the experience with other countries, the EU officials estimated that it would take 6 months for the EU-U.S. adequacy decision to be adopted. The next step is for the draft to go through its adoption procedure. The draft was submitted by the EU Commission to the European Data Protection Board (EDPB), After EDPB approval, the EU Commission will seek approval from the EU member states representative committee. An important note is that the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.
After the EU-U.S. adequacy decision is adopted, the European entities will be able to transfer personal data to the certified companies in the United Sates, without applying additional safeguards for data protection.