March 31, 2023

Volume XIII, Number 90


March 30, 2023

Subscribe to Latest Legal News and Analysis

March 29, 2023

Subscribe to Latest Legal News and Analysis

March 28, 2023

Subscribe to Latest Legal News and Analysis

European Commission to Start Adequacy Decision Adoption Process for the EU-U.S. Data Privacy Framework

On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.

An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.


Adequacy decisions are one of the tools offered by Chapter V of the EU General Data Protection Regulation (“GDPR”) in order to legitimize transfers of personal data from the EU to third countries which, according to the EU Commission, provide an adequate level of protection of personal data.

The proposal for a draft adequacy decision marks the culmination of years of intense negotiations between the EU and the U.S., following the Court of Justice’s declaration that the EU-U.S. Privacy Shield Framework was invalid in its Schrems II judgment.

The draft adequacy decision follows President Biden’s signature on October 7, 2022, of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the EU and the U.S. (the “EU-U.S. Data Privacy Framework”).

Key Takeaways

Companies that adhere to the EU-U.S. Data Privacy Framework by self-certifying and committing to comply with a detailed set of privacy obligations will be able to receive EU personal data without having to put in place additional transfer safeguards. Companies’ commitments when self-certifying to the EU-U.S. Data Privacy Framework include, among others, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure continuity of protection in the event of onward transfers.

Under the new EU-U.S. Data Privacy Framework, Europeans will be offered several redress mechanisms if their personal data is handled in violation of the Framework, including a two-layer redress mechanism. Under this two-layer redress mechanism, EU individuals will be able to lodge a complaint to the so-called “Civil Liberties Protection Officer” of the U.S. intelligence community and appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court (the “Court”). The Court will be competent to investigate and resolve complaints regarding access by U.S. national security authorities to EU individuals’ personal data and to take binding remedial decisions (such as to order the deletion of the data by the relevant intelligence agency). According to the EU Commission, this mechanism presents significant improvements compared to the redress mechanism that was available under the EU-U.S. Privacy Shield.

Additional limitations and safeguards which specifically aim at addressing the CJEU judgment in the Schrems II case are also included in the EU-U.S. Data Privacy Framework, such as the limitation of U.S. intelligence agencies’ access to European data to what is necessary and proportionate to protect national security.

Next Steps

The European Data Protection Board (“EDPB”) will now provide its opinion on whether the new EU-U.S. Data Privacy Framework is sufficient to ensure an equivalent level of protection for personal data transferred from the EU to U.S. companies. Afterwards, the approval of the draft adequacy decision by a committee of Member States representatives will be sought. Finally, the European Parliament will also have a right of scrutiny over the draft adequacy decision.

Once the adoption process is complete, the EU Commission can adopt the final adequacy decision. The adoption process for the EU-U.S. Data Privacy Framework is expected to take around six months.

In the meantime, companies can continue relying on the other transfer mechanisms made available by the GDPR, such as the EU Commission’s Standard Contractual Clauses. Read the European Commission’s Questions & Answers and the draft adequacy decision.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 349

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct