On Tuesday, 13 December, the European Commission published its draft decision recognising the adequate level of protection of personal data under the EU-US Data Privacy Framework (DPF). The Commission also published a Questions & Answers document explaining the definition, criteria, limitations and redress mechanisms of its adequacy decision with the US. In a statement, European Commissioner for Justice Didier Reynders said: "Our analysis has showed that strong safeguards are now in place in the US to allow the safe transfers of personal data between the two sides of the Atlantic," and that the "future Framework will help protect the citizens' privacy, while providing legal certainty for businesses."
The draft decision denotes the beginning of the commission's review toward finalisation, which could take up to six months. The DPF could, therefore, realistically be completed by July 2023, three years after the Schrems II ruling by the Court of Justice of the European Union (CJEU), which struck down the EU-US Privacy Shield framework.
In response, honorary chairman of Austrian privacy group NOYB Max Schrems confirmed they would analyse the draft decision over the coming days. However, he stated: "As the draft decision is based on the known Executive Order, I can't see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again - in flagrant breach of our fundamental rights."
The next steps will be for the European Data Protection Board (EDPB) to examine the draft decision before a committee of representatives of the EU Member States and the European Parliament have their input into the approval process of adequacy decisions. If the DPF is approved, it will effectively operate like the Privacy Shield and Safe Harbour did before it. US-based companies that sign up will have to commit to comply with a detailed set of privacy requirements enforced by a newly established Data Protection Review Court.
The IAPP provides details on and reactions to the draft and what comes next.
UPDATE: 151222 - The IAPP has conducted a comparison of the privacy principles that were found within the DPF against its predecessor, the EU-US Privacy Shield Framework.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.