Following from last week, this post will look further into the updated cross-border data-sharing agreement between Europe and the US. We’re going to take a look at the EU’s authority to legalise this agreement, and the process behind establishing it.
The EU Commission and the adequacy decision
The EU Commission is the lead authority that makes key decisions concerning the implementation of new policies. Historically, the EU Commission has been the most active EU institution in terms of changes made to data-protection law. It could be said that the most important power held by the Commission is the authority to grant the adequacy decision to other countries.
An adequacy decision is a formal decision made by the EU, recognising that another country, territory, sector, or international organisation is providing an equivalent level of protection for personal data as the EU does. This decision has been granted to countries including the UK, Japan, Israel, and Argentina. In some cases, exceptions or an adapted initiative can be introduced. Similarly, the EU Commission has the authority to deny data transfer rights to countries.
The 4 stages of the drafting process
When initiating the approval for an adequacy decision, multiple steps need to be established to verify the agreement. The first one is the drafting process:
- The commission will need to draft the agreement with the US over the cross-border data transfers, including all the rules and regulations for the agreement. Following this, the draft can be transmitted to the European Data Protection Board.
- Secondly, the board would need to issue their verdict on the draft. It is important to state that their opinion is not legally binding. The European parliament can also be involved as a resolution point, and again their verdict is non-binding.
- The next step would be approval from the EU member states. For the vote to pass, an approval rate of 55% or more is required. This would mean a ‘yes’ vote from at least 15 of the 27 countries in the EU.
- The final step is the ‘official approval’ of the agreement. The college of Commissioners will formally adopt the Commission’s decision to pass the agreement. It will then be taken into immediate effect once logged and published in the EU’s official journal.
Does the agreement impact agencies?
Currently, any personal data shared with clients in the US would need to be included within a data-sharing agreement and noted in a Record of Processing Activities (RoPA). The new agreement will replace this requirement for the Standard Contractual Clause (SCC). This could potentially mean a ‘smoother’ path to transferring personal data from the EU to the US. Ideally, this should simplify future agreements and therefore drive growth in international client opportunities.