European Commission Publishes U.S. Draft Adequacy Decision – Privacy Protection

European Commission Publishes U.S. Draft Adequacy Decision – Privacy Protection

To print this article, all you need is to be registered or login on

On 13 December 2022, the European Commission published its draft adequacy decision for
EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S.
Data Privacy Framework (“DPF”) in March 2022 as well as
the Executive Order on Enhancing Safeguards for United
States Signals Intelligence Activities
Order”) signed by President Biden in October 2022, which aimed
at implementing the commitments of the U.S. under the DPF.

If the draft adequacy decision is adopted, the DPF will be the
successor to the EU-U.S. Privacy Shield, which was based on an
adequacy decision of the European Commission declared invalid under
the General Data Protection Regulation (“GDPR”) by the
Court of Justice of the European Union (“CJEU”) in its Schrems II decision in July 2020. The
DPF is expected to tackle the concerns of the CJEU with respect to
transfers of EU personal data to the U.S.

This Legal Update summarizes the key developments relating to
the draft adequacy decision and the next steps that are required
for its adoption.

Key Elements of the Draft Adequacy Decision

  • Acknowledgment of the safeguards implemented under the
    U.S. Executive Order

The U.S. Executive Order implements the commitments made by the
U.S. in the agreement announced by President von der Leyen and
President Biden in March 2022 and is accompanied by new

In addition to providing additional safeguards to protect
personal data of EU data subjects by restricting bulk collection of
personal data and granting individuals a right to independent and
binding review and redress, the Executive Order extends privacy and
civil liberties to all individuals, regardless of nationality or
country of residence. The Executive Order also requires the U.S.
intelligence community to update their policies and procedures and
restricts activities of U.S. intelligence agencies to what is
necessary and proportionate to a specific national security

The draft adequacy decision relies largely on the obligations
introduced by the Executive Order to support its findings on the
adequacy of the safeguards provided by the U.S. legal framework to
protect personal data.

Under the DPF, EU data subjects can lodge complaints regarding
non-compliance by EU-U.S. DPF-certified organizations and to have
these complaints resolved—if necessary by a decision
providing an effective remedy. Individuals may bring a complaint to
the organization itself, to an independent dispute resolution body
designated by the organization, to the U.S. Federal Trade
Commission, to the U.S. Department of Commerce, and/or to a
national Data Protection Authority (“DPA”) in the EU. An
organization must cooperate with the national DPA under certain
circumstances (e.g., when the complaint concerns the processing of
HR data or when the organization has voluntarily submitted to the
oversight of DPAs). Individuals may pursue any or all of these
redress mechanisms and are not bound by any specific sequence. If
none of these avenues resolves the complaint, data subjects may
invoke binding arbitration.

The European Commission also assessed in detail the new redress
mechanism established in the Executive Order for complaints from
individuals concerning U.S. signals intelligence activities. This
consists of a two-layer redress mechanism, with independent and
binding authority, which introduces new guarantees aimed at
ensuring fair trial and due process.

The lack of appropriate redress mechanisms in the EU-U.S.
Privacy Shield was a major concern of the CJEU in Schrems
. The adoption of the above-mentioned remedies addresses
this concern.

  • General mechanism of the EU-U.S. Privacy Shield

With the exception of the redress mechanism, the general
functioning of the DPF is largely similar to what existed under the
EU-U.S. Privacy Shield. U.S.-based businesses will be able to join
the DPF by complying with a comprehensive set of principles as well
as with the privacy obligations set forth in the Executive Order
and its implementing regulations.

EU Data Transfer Requirements

For transfers of personal data to countries outside of the
European Economic Area, controllers must rely on the tools listed
in Chapter V of the GDPR. One of those tools is an adequacy
decision by the European Commission according to Article 45 of the
GDPR. An adequacy decision is issued if the European Commission
decides that the third country ensures an adequate level of data

If the U.S. is approved as a country with data adequacy on the
basis of the DPF, data transfers from the EU by businesses that are
certified to the DPF will no longer require separate data transfer
mechanisms to provide additional safeguards. While the adoption of
an adequacy decision is pending, businesses may still rely on other
valid data transfer mechanisms recognized by the GDPR such as
Binding Corporate Rules and Standard Contractual Clauses

Relevance of Adequacy Decision for Local Law Assessments under

SCCs are currently the most common mechanism for EU-U.S. data
transfers and will likely remain a relevant data transfer mechanism
even if an adequacy decision is adopted. As of December 27, 2022,
all new and existing contracts must use the new SCCs released by the European Commission
in June 2021 (“2021 SCCs”). When using SCCs, the parties
need to conduct a prior assessment of the laws and practices of the
third country of destination and analyze whether provisions in
local law could prevent the data importer from complying with the
SCCs (European Data Protection Board (“EDPB”) Recommendations 01/2020; European
Commission’s practical guidance for businesses when relying
on the 2021 SCCs).

In a letter attached as Annex III to the draft adequacy
decision, U.S. Under Secretary of Commerce for International Trade
expressed the hope that the arrangements surrounding the approval
of the DPF will further facilitate reliance on other data transfer
mechanisms, including SCCs. The draft adequacy decision does not
expressly address whether the European Commission’s findings on
adequacy may be relied on for the purposes of local law assessment
prior to concluding SCCs with U.S. entities. In spite of this
missing reference, businesses should be able to rely on the
European Commission’s assessment of the U.S. legal framework in
the draft adequacy decision, once it is adopted.

Next Steps

The European Commission will now initiate the formal process
towards the adoption of the draft decision. As part of this
process, the EDPB will issue an opinion based on its assessment of
the draft adequacy decision. Additionally, the European Commission
must seek the approval from a committee composed of representatives
of the EU member states. The European Parliament may also exercise
its right of scrutiny over adequacy decisions. Once these steps are
completed, the European Commission can proceed with adopting the
adequacy decision. (When the adequacy decision relating to the
Privacy Shield was adopted, the interval between the release of the
draft decision and its adoption was about five months.)

Visit us at

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both
limited liability partnerships established in Illinois USA; Mayer
Brown International LLP, a limited liability partnership
incorporated in England and Wales (authorized and regulated by the
Solicitors Regulation Authority and registered in England and Wales
number OC 303359); Mayer Brown, a SELAS established in France;
Mayer Brown JSM, a Hong Kong partnership and its associated
entities in Asia; and Tauil & Chequer Advogados, a Brazilian
law partnership with which Mayer Brown is associated. “Mayer
Brown” and the Mayer Brown logo are the trademarks of the
Mayer Brown Practices in their respective

© Copyright 2020. The Mayer Brown Practices. All rights

Mayer Brown
article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.

POPULAR ARTICLES ON: Privacy from Worldwide

Data Privacy Comparative Guide


Data Privacy Comparative Guide for the jurisdiction of European Union, check out our comparative guides section to compare across multiple countries

Privacy Considerations For 2023

Frankfurt Kurnit Klein & Selz

2023 is around the corner. As a refresher, on January 1, 2023, two new comprehensive privacy laws – the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act…

Source link

Related post

Bitcoin pro traders warm up the $24K level, suggesting that the current BTC rally has legs

Bitcoin pro traders warm up the $24K level, suggesting…

On Feb. 1 and Feb 2. Bitcoin’s (BTC) price surpassed even the most bullish price projections after the U.S. Federal Reserve…
Troubled Crypto Miners Get Breathing Room as Bitcoin Rebounds

Troubled Crypto Miners Get Breathing Room as Bitcoin Rebounds

(Bloomberg) — Rising Bitcoin prices are buying some time for distressed crypto miners as they renegotiate debt with lenders to stay…
Financial Accounting Standards Board votes to release draft cryptocurrency in March

Financial Accounting Standards Board votes to release draft cryptocurrency…

The Financial Accounting Standards Board, in its Feb. 1 meeting, voted to advance its first standard on cryptocurrencies and digital assets.…

Leave a Reply

Your email address will not be published.