On December 13, 2022, the European Commission published its draft Adequacy Decision on the EU-U.S. Personal Data Protection Framework (« EU-U.S. DPF »), which, once formally adopted, would recognize that the United States provides an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF.
The draft decision follows the issuance of Executive Order 14086 on Strengthening Safeguards for U.S. Intelligence Activities (« EO 14086 ») by President Biden on October 7, 2022, and the political agreement reached between the EU and the United States in March 2022.
On February 14, 2023, in a draft resolution on the adequacy of the protection offered by the proposed EU-U.S. data protection framework, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs strongly recommended that the European Commission not adopt an adequacy decision based on the framework, on the grounds that it « does not create effective equivalence » with the EU in terms of the level of data protection it offers.
A full parliamentary vote on the resolution is expected in the coming months, but even if adopted, the resolution will not be binding on the European Commission in terms of its adequacy decision.
The Committee raised various objections to the Framework, including that while Executive Order 14086 refers to the principles of proportionality and necessity, the substantive definitions of these concepts, and their likely interpretation under U.S. law, are out of step with their meaning and interpretation in the EU.
The U.S. President retains the ability to amend the Executive Order, which means that its application is not clear, precise, or predictable.
In its conclusions, the Committee reiterated its earlier request to the Commission « not to adopt a new adequacy decision with respect to the United States unless significant reforms are introduced, in particular for national security and intelligence purposes ».
As the draft adequacy decision has been submitted to the European Data Protection Board (« EDPB »), the European Commission will seek the approval of a committee composed of representatives of EU Member States.
In addition, the European Parliament has a say in the process. The European Commission is expected to adopt a final adequacy decision by mid-2023.
Once finalized, implementation of the adequacy decision will depend on the U.S. government’s implementation of E.O. 14086, including establishing a process for submitting eligible complaints, updating U.S. intelligence community agencies’ policies and procedures in accordance with the E.O., and designating the EU as an eligible state from which individuals can submit complaints for redress.