The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of the EU-US Privacy Shield program.
For those keeping track, this is the third attempt at a transborder agreement for transfer of information from the EU to the US. The two previous programs, Safe Harbor and Privacy Shield, were both ultimately determined to be insufficient by the EU after challenges from the privacy activist Maximilian Schrems.
In releasing this draft adequacy decision, does that mean that all in the EU think the ailments that plagued the Privacy Shield have been cured? Privacy activists, including Schrems, think not. And the framework’s journey through the EU system has only just begun. It still needs to be reviewed by the European Data Protection Board, a committee of Member State representatives before being assessed by the European Parliament. During that time and at each stage, it is expected that the framework will continue to receive heavy scrutiny.
Putting It into Practice: As the saga continues, as we wrote in the past, companies will need to continue to take appropriate measures to address EU legal requirements for transfers of personal information out of the EU including standard contractual clauses, transfer impact assessments, and supplemental measures.