This afternoon, the European Commission announced that it has (finally) finalised its much-awaited draft adequacy decision for the EU-U.S. Data Privacy Framework.

According to the Commission, the draft adequacy decision “reflects the assessment by the Commission of the US legal framework and concludes that it provides comparable safeguards to those of the EU”. The decision has been sent to the EDPB for its opinion. According to the adoption procedure, the Commission will then seek the approval of a committee of EU Member State representatives. Furthermore, it should be noted that the European Parliament has the right to scrutinise adequacy decisions. Upon completion of the procedure, the Commission will be able to adopt the final adequacy decision.
If finalized, the decision will likely be challenged in court. In a recent event, EU Justice Commissioner Didier Reynders estimated that the agreement has a “seven or eight out of 10 chance” of surviving such a challenge.

Under the decision, US-based companies would be able to join the EU-U.S. Data Privacy Framework and commit to a number of obligations. Redress mechanisms have also been established which EU citizens will be able to rely on when their personal data is processed in violation of the Framework. Importantly, access to EU data by US intelligence agencies “will be limited to what is necessary and proportionate to protect national security”. Additionally, EU companies will be able to “rely on these safeguards for trans-Atlantic data transfers, also when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules.”

I warmly welcome the progress that has been made and look forward to examining the draft decision in detail.

Read the Commission’s press release here and the Draft Adequacy Decision here.