On 13 December 2022, the European Commission published its new draft adequacy decision for the United States which – if adopted – would make it easier for organisations to share personal data with recipients in the US. The draft decision reflects the assessment of the European Commission that the United States ensures an adequate level of data protection for personal data, paving the way for finalisation of the EU-US Data Privacy Framework (“DPF“).

The DPF addresses the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020 whereby the Privacy Shield (a legal framework that enabled transatlantic exchanges of personal data for commercial purposes) was declared invalid.

These concerns centred around access to European personal data by US intelligence agencies and the lack of independent redress for EU citizens.

Once and if the adequacy decision is adopted, European entities will be able to transfer personal data to participating companies in the US, without having to put in place additional data protection safeguards such as standard contractual clauses (SCCs) or binding corporate rules.

However, the adequacy decision speaks of a mechanism to transfer personal data to organizations that are certified by the Department of Commerce —a process similar to the transfers that were permitted under the EU-US Privacy Shield and EU-US Safe Harbor framework, i.e. under the new EU-U.S. DPF, U.S. controllers and processors will be able to self-certify their adherence to a set of Principles, including Supplemental Principles, issued by the U.S. Department of Commerce. The Principles, which were included in the package of materials transmitted to the Commission by the U.S. Department of Commerce, and which are attached to the draft decision, state that in order to adhere to the EU-U.S. DPF, organizations must: (1) be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, the U.S. Department of Transportation, or another statutory body that will effectively ensure compliance with the Principles; (2) publicly declare their commitment to comply with the Principles; (3) publicly disclose that their privacy policies are “in line” with the Principles; and (4) fully implement them. More details can be found here.

This adequacy decision is not the only mechanism to legitimise international data transfers. Organizations can still rely on other transfer tools for EU-US data transfers, such as SCCs, as adopted by the European Commission last year.

To conclude, at this draft stage, we can identify two key points that will impact the data protection clauses in clinical trial agreements/site contract:

a) a decision is taken to obtain certification by the Department of Commerce (In a letter attached as Annex III to the draft adequacy decision, U.S. Under Secretary of Commerce for International Trade expressed the hope that the arrangements surrounding the approval of the DPF will further facilitate reliance on other data transfer mechanisms, including SCCs. The draft adequacy decision does not expressly address whether the European Commission’s findings on adequacy may be relied on for the purposes of local law assessment prior to concluding SCCs with U.S. entities. In spite of this missing reference, businesses should be able to rely on the European Commission’s assessment of the U.S. legal framework in the draft adequacy decision, once it is adopted) or

b) the context where an organization continues to use the SCC in scenarios of data transfers. In conclusion, for companies without DPF certification, SCCs will likely remain the default transfer mechanism.

The European Commission’s adoption of a final adequacy decision is expected in mid-2023. Once finalized, the adequacy decision’s application will be contingent upon the U.S. government’s implementation of this decision and proper steps of execution.

Business community in general welcomed the decision as it is expected to contribute to decreasing of administrative burdens, yet data privacy activists are concerned with such ‘simplification’ of EU-US data transfer process. CTA Focus is monitoring the process of finalization of the final adequacy decision and will keep you informed.

For more information on the proposed EU-US Data Privacy Framework and other international transfer mechanisms, please do not hesitate to contact us: contact@ctafocus.com.

Other sources for this short article:

• https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045

• https://www.euractiv.com/section/data-privacy/news/european-commission-publishes-draft-adequacy-decision-on-eu-us-data-flows/

• https://blogs.dlapiper.com/privacymatters/eu-us-adequacy-decision-state-of-play/

• https://www.morganlewis.com/pubs/2022/12/european-commission-releases-draft-adequacy-decision-for-us-personal-data-transfers

• https://www.houthoff.com/nl-nl/actueel/news-update/data-protection-cybersecurity-european-commission-publishes-adequacy-decision

• https://www.rwkgoodman.com/info-hub/eu-us-data-privacy-framework-what-you-need-to-know-now-the-draft-adequacy-decision-has-been-published/