The adoption of a new adequacy decision for the USA (Transatlantic Data Privacy Framework) by the EU Commission would provide many companies with legal certainty when working with companies in the USA and cloud service providers. After it looked for a long time as if a new adequacy decision was imminent, the EU Parliament has now expressed its criticism. By means of an adequacy decision pursuant to Article 45 (3) of the GDPR, the EU Commission can determine that a third country offers an "adequate level of protection" for the protection of personal data.
In order to provide the best possible overview of the status, we have summarized the most important dates and stages of the process for you here:
- October 7, 2022: "Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities" by U.S. President Biden and orders by the U.S. Attorney General: This is intended to address the main issues raised in the ECJ's Schrems II ruling: lack of proportionality and lack of effective remedies for EU citizens in the U.S. with regard to government surveillance activities.
- December 13: EU Commission draft of new adequacy decision
- February 14, 2023: Critical Opinion and Draft Motion for a Resolution of the EU Committee on Civil Liberties, Justice and Home Affairs of the European Parliament the European Commission to the EU Parliament (often abbreviated as the "LIBE Committee"): The committee argued that the draft did not establish true equivalence with the European Union in terms of data protection levels
- February 28, 2023: Opinion of the European Data Protection Board on the EU Commission's new draft: The opinion is mostly positive. The European Data Protection Board welcomes the substantial improvements introduced by the new draft: in particular, the introduction of necessity and proportionality requirements for data collection by U.S. intelligence agencies and the creation of new redress mechanisms for U.S. data subjects. The EDPB expresses concerns with regard to certain rights of data subjects, onward transfers of personal data and the scope of exemptions, the temporary bulk collection of data, and the functioning of the redress mechanism in practice.
- May 11, 2023: EU Parliament resolution on the adequacy of the protection provided by the EU-US data protection framework: Parliament is extremely critical, concluding that the EU-US data protection framework „fails to create essential equivalence in the level of protection; calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU; calls on the Commission not to adopt the adequacy finding until all the recommendations made in this resolution and the EDPB opinion are fully implemented;
Outlook and Significance for Practice:
It should be noted that an adequacy decision is only issued by the EU Commission itself and neither the opinions and objections of the European Data Protection Board nor those of the EU Parliament are binding for this. However, the negative decision of the EU Parliament is a clear political statement. It remains to be seen whether and how the EU Commission will take this critical opinion into account.
Originally, Dr. Ralf Sauer (Deputy Head of Unit of the International Data Flows and Data Protection Unit at the European Commission, Directorate-General for Justice and Consumers) had expressed during the 7th German-American Data Protection Day on April 19, 2023 that the adequacy decision would be issued by the end of July 2023 and thus before the summer break. It thus remains interesting to see whether this timeline can be met. Of course, we will keep you up to date.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
