European Commission launches process to adopt legal framework for EU-US data flows


As the year 2022 was drawing to a close, the European Commission published its draft adequacy decision on the future of international data transfers with the United States. The draft adequacy decision, more specifically, marked the launch of a process to adopt a legal framework laying down rules for ensuring proper data protection for European citizens whose data is transferred across the Atlantic. The Commission’s draft decision was issued in the wake of the publication of the new EU-US Data Privacy Framework, presented by European Commission President, Ursula von der Leyen, and US President, Joe Biden, in March 2022, as well as the subsequent issuing of the US Government’s Executive Order to implement the EU-US Data Privacy Framework, the latter which we have previously addressed here. Both documents seeks to address the concerns of the Court of Justice of the European Union’s (CJEU) so-called Schrems II decision from 2020, which called out the US for lacking appropriate data protection measures during transatlantic data flows. 

Rooted in the Schrems II decision, the EU-US Data Privacy Framework is set to ensure “essentially equivalent data protection” for EU citizens’ data that is being transferred across the pond. Therefore, the European Commission’s draft adequacy decision should be understood as an assessment of the legal framework presented by the US in its Executive Order. According to the conclusion laid down in the draft decision, the Commission has found the US’ new legal framework on data privacy to “provide comparable safeguards to those of the EU” and likewise that the US “ensures an adequate level of protection for personal data transferred from the EU to US companies.” That the Commission has come to such decision is an important step in the right direction for European businesses, as international data transfers are crucial to boost innovation and growth, and to allow enterprises to reach new consumers, access other markets, and generally be globally competitive. This is also a standpoint that  Ecommerce Europe previously has flagged together with a group of other industry associations. 

One of the key elements underlying the Commission’s draft adequacy decision is the fact that American companies will have to commit to comply with an exhaustive set of privacy obligations, if wanting to partake in the EU-US Data Privacy Framework. More concretely, these privacy obligations entail that US companies will be required to “delete personal data, when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.” Moreover, the draft adequacy decision acknowledges the redress instruments put forward by the US Government, which shall help EU citizens, who believe their personal data has been handled in violation of the Data Privacy Framework, to seek redress, free of charge, via independent dispute resolution mechanisms as well as an arbitration panel.  

Another issue that was raised in the CJEU’s Screms II decision concerned US public authorities’ access to data, especially in regard to criminal law enforcement and national security purposes. This element has also been tackled in the US’ Executive Order, and now endorsed by the European Commission. In particular, the new legal framework introduces limitations and safeguards on public bodies’ access to EU citizens’ data, meaning that access to such data by US intelligence agencies will be limited to what is deemed necessary and proportionate for the protection of national security. Also in relation to this, the US Government will implement an independent and impartial system for seeking redress, including the newly established Data Protection Review Court, which shall investigate and resolve complaints from EU citizens. 

Finally, these new initiatives put forward by the US Government to ensure “essentially equivalent data protection” during transatlantic data transfers will also be applicable to other types of data transfer mechanisms, meaning that European companies, making use of e.g. standard contractual clauses, can continue doing so in good faith without fearing being at odds with the law. 

Following the Commission’s draft adequacy decision, virtually approving the US’ new data protection measures, the draft decision is now up for assessment by the European Data Protection Board, after which the text will need approval from the EU Member States. Moreover, the European Parliament also has the right of scrutiny over the text, before the European Commission might proceed with the process of adopting the final adequacy decision. Only after this, the EU-US Data Privacy Framework can formally enter into force. 

If you have any questions or wish to know more about the topic, please feel free to contact us at