EC Unveils Draft U.S. Data Transfer Adequacy Decision

The U.S. now ensures an adequate level of personal data protection for trans-Atlantic data flows, the European Commission said Tuesday. It published a draft adequacy decision that it said would resolve the concerns of the European Court of Justice in Schrems II. The decision will now be vetted by the European Data Protection Board, EU governments and the European Parliament. It would require U.S. companies to commit to complying with a detailed set of privacy conditions, such as deleting personal data when it's no longer needed for the purpose for which it was collected, and ensuring that privacy protection continues when personal information is shared with third parties, the EC said. EU citizens would have several avenues for redress if their data is mishandled. U.S. laws provide limitations and safeguards on access to data by public authorities, such as for criminal law enforcement and national security purposes, including new rules introduced by an executive order that addressed issues raised in Schrems II. European companies would be able to rely on these safeguards for data transfers as well as when using other mechanisms such as standard contractual clauses and binding corporate rules. Once the proposed regime has been vetted, the EC will finalize an adequacy decision that will be subject to periodic review. The Computer and Communications Industry Association cheered the development, but warned "legal uncertainty will continue to persist for companies as long as today's draft decision has not been formally approved by EU Member States." It urged governments to "end the two-year impasse as soon as possible."