Draft adequacy decision has been published

The EU Commission has published the long-awaited draft adequacy decision for data transfers from the EU to the US after analyzing US law and practice, including Executive Order 14086 and the AG Regulation. It concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-US Privacy Shield Framework. The EU-U.S. Privacy Shield Framework is a certification scheme under which U.S. organizations agree to comply with a set of privacy principles issued by the U.S. Department of Commerce. The principles apply immediately after certification. They do not affect the requirements of Regulation (EU) 2016/679 that apply to entities in the Union that transfer data, such as purpose limitation, data minimization, transparency and data security.

Personal data may be transferred from the EU to the US under the EU-US GDPR, with the exception of data collected for the publication, broadcast or other forms of public communication of journalistic material. The EU-U.S. Data Processing Principles apply to organizations in the U.S. that are considered controllers or processors and are contractually obligated to act only at the direction of the EU controller and to assist the EU controller in responding to requests from individuals exercising their rights under the Principles. Under the EU-US Privacy Shield Framework, personal data must be processed lawfully and fairly and must not be incompatible with the purpose for which it was originally collected.

In certain circumstances, consent does not need to be obtained for the processing of sensitive data. However, in accordance with the principle of data integrity and purpose limitation, organizations must ensure that personal data is accurate, complete and up to date, and may only retain personal data for as long as it serves the purpose(s) for which it was originally collected or for which the data subject has given consent in accordance with the principle of freedom of choice. In addition, personal data must be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. Finally, controllers and processors must implement appropriate technical and organizational measures.