EU: draft ade­qua­cy decis­i­on for TADPF; ent­ry into force pos­si­ble in mid-2023

As suc­ces­sors to the old Safe Har­bour Frame­work and then the Pri­va­cy Shield, each of which was over­tur­ned by the ECJ (Schrems I and II), the “EU‑U.S. Data Pri­va­cy Frame­work” (“EU‑U.S. DPF” or “Trans­at­lan­tic Data Pri­va­cy Frame­work,” “TADPF”) is pro­vi­ded for. As befo­re, the frame­work is based on a U.S. offer and a rela­ted ade­qua­cy decis­i­on by the EU Commission.

After Joe Biden issued the Octo­ber 7, 2022 Exe­cu­ti­ve Order On Enhan­cing Safe­guards For United Sta­tes Signals Intel­li­gence Acti­vi­ties (EO 14086) signed and the Att­or­ney Gene­ral Imple­men­ting regu­la­ti­ons for the new Data Pro­tec­tion Review Court, the ball was in the EU’s court.

The EU Com­mis­si­on has now, on Decem­ber 13, 2022. Draft of a cor­re­spon­ding ade­qua­cy decis­i­on sub­mit­ted and thus initia­ted the pro­ce­du­re that should lead to an ade­qua­cy decis­i­on (see Media release). The draft con­ta­ins an assess­ment of the U.S. data pro­tec­tion frame­work and the limi­ta­ti­ons on agen­cy access to trans­fer­red data and, of cour­se, con­clu­des that the Exe­cu­ti­ve Order addres­ses the ECJ’s con­cerns in the Schrems II decision.

This now marks the begin­ning of a rough­ly six-month pha­se, in which the Euro­pean Data Pro­tec­tion Board (EDPB) will give its opi­ni­on befo­re mem­ber sta­tes would have to get behind ade­qua­cy. Until approx. Mid 2023 ade­qua­cy could be for­mal­ly established.

The decis­i­on con­ta­ins as annexes:

  • Annex IEU‑U.S. Data Pri­va­cy Frame­work Prin­ci­ples of the U.S. Depart­ment of Com­mer­ce. The­se prin­ci­ples set out the rules for sub­jec­ting com­pa­nies to the TADPF, inclu­ding sub­stan­ti­ve requi­re­ments for the hand­ling by the­se com­pa­nies of per­so­nal data trans­fer­red (inclu­ding encrypt­ed data). The­se prin­ci­ples are stron­gly remi­nis­cent of the Pri­va­cy Shield;
  • Annex II: Let­ter from U.S. Secre­ta­ry of Com­mer­ce Gina Raimondo;
  • Annex III: Let­ter from Under Secre­ta­ry of Com­mer­ce for Inter­na­tio­nal Trade Mari­sa Lago adding the role of the Depart­ment of Com­mer­ce to pro­vi­de admi­ni­stra­ti­ve sup­port to the TADPF, inclu­ding main­tai­ning the list of sub­or­di­na­te com­pa­nies and veri­fy­ing their com­pli­ance with the TADPF;
  • Annex IVLet­ter from Lina M. Khan, Chair­man of the Fede­ral Trade Com­mis­si­on. The FTC helps enforce the TADPF by being able to pro­se­cu­te actions that are under­s­tood by Euro­peans to fall under fair tra­ding law, inclu­ding non-com­pli­ance with the TADPF by sub­ject com­pa­nies. Annex IV con­ta­ins a list of cases in which the FTC has pro­se­cu­ted rela­ted vio­la­ti­ons under Safe Har­bor and the Pri­va­cy Shield;
  • Annex V: Let­ter from Pete Butt­i­gieg, Secre­ta­ry of Trans­por­ta­ti­on, which may take ana­log­ous action to the FTC for vio­la­ti­ons by air­lines and air tra­vel providers;
  • Annex VI: Let­ter from Bruce C. Swartz, U.S. Depart­ment of Justi­ce, Cri­mi­nal Divi­si­on. This let­ter pro­vi­des a con­cise over­view of the fede­ral inve­sti­ga­ti­ve tools available to hand­le cor­po­ra­te data in the U.S. for law enforce­ment pur­po­ses and to pro­tect other inte­rests. It also inclu­des expl­ana­ti­ons of sub­poe­nas and war­rants and their requi­re­ments and effects, and of the Stored Com­mu­ni­ca­ti­ons Act, among other things;
  • Annex VIILet­ter from Chri­sto­pher C. Fon­zo­ne for the Office of the Direc­tor of Natio­nal Intel­li­gence, inclu­ding comm­ents on FISA. Among other things, it con­firms that the intel­li­gence agen­ci­es (the “Intel­li­gence Com­mu­ni­ty”)… App­ly Biden’s Exe­cu­ti­ve Order to mea­su­res under FISA 702 be




Rela­ted articles