As successors to the old Safe Harbour Framework and then the Privacy Shield, each of which was overturned by the ECJ (Schrems I and II), the “EU‑U.S. Data Privacy Framework” (“EU‑U.S. DPF” or “Transatlantic Data Privacy Framework,” “TADPF”) is provided for. As before, the framework is based on a U.S. offer and a related adequacy decision by the EU Commission.
After Joe Biden issued the October 7, 2022 Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (EO 14086) signed and the Attorney General Implementing regulations for the new Data Protection Review Court, the ball was in the EU’s court.
The EU Commission has now, on December 13, 2022. Draft of a corresponding adequacy decision submitted and thus initiated the procedure that should lead to an adequacy decision (see Media release). The draft contains an assessment of the U.S. data protection framework and the limitations on agency access to transferred data and, of course, concludes that the Executive Order addresses the ECJ’s concerns in the Schrems II decision.
This now marks the beginning of a roughly six-month phase, in which the European Data Protection Board (EDPB) will give its opinion before member states would have to get behind adequacy. Until approx. Mid 2023 adequacy could be formally established.
The decision contains as annexes:
- Annex IEU‑U.S. Data Privacy Framework Principles of the U.S. Department of Commerce. These principles set out the rules for subjecting companies to the TADPF, including substantive requirements for the handling by these companies of personal data transferred (including encrypted data). These principles are strongly reminiscent of the Privacy Shield;
- Annex II: Letter from U.S. Secretary of Commerce Gina Raimondo;
- Annex III: Letter from Under Secretary of Commerce for International Trade Marisa Lago adding the role of the Department of Commerce to provide administrative support to the TADPF, including maintaining the list of subordinate companies and verifying their compliance with the TADPF;
- Annex IVLetter from Lina M. Khan, Chairman of the Federal Trade Commission. The FTC helps enforce the TADPF by being able to prosecute actions that are understood by Europeans to fall under fair trading law, including non-compliance with the TADPF by subject companies. Annex IV contains a list of cases in which the FTC has prosecuted related violations under Safe Harbor and the Privacy Shield;
- Annex V: Letter from Pete Buttigieg, Secretary of Transportation, which may take analogous action to the FTC for violations by airlines and air travel providers;
- Annex VI: Letter from Bruce C. Swartz, U.S. Department of Justice, Criminal Division. This letter provides a concise overview of the federal investigative tools available to handle corporate data in the U.S. for law enforcement purposes and to protect other interests. It also includes explanations of subpoenas and warrants and their requirements and effects, and of the Stored Communications Act, among other things;
- Annex VIILetter from Christopher C. Fonzone for the Office of the Director of National Intelligence, including comments on FISA. Among other things, it confirms that the intelligence agencies (the “Intelligence Community”)… Apply Biden’s Executive Order to measures under FISA 702 be