Additional author: Salome Peters.
On 13 December 2022, the European Commission published its draft adequacy decision for EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S. Data Privacy Framework ("DPF") in March 2022 as well as the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ("Executive Order") signed by President Biden in October 2022, which aimed at implementing the commitments of the U.S. under the DPF.
If the draft adequacy decision is adopted, the DPF will be the successor to the EU-U.S. Privacy Shield, which was based on an adequacy decision of the European Commission declared invalid under the General Data Protection Regulation ("GDPR") by the Court of Justice of the European Union ("CJEU") in its Schrems II decision in July 2020. The DPF is expected to tackle the concerns of the CJEU with respect to transfers of EU personal data to the U.S.
This Legal Update summarizes the key developments relating to the draft adequacy decision and the next steps that are required for its adoption.
Key Elements of the Draft Adequacy Decision
- Acknowledgment of the safeguards implemented under the U.S. Executive Order
The U.S. Executive Order implements the commitments made by the U.S. in the agreement announced by President von der Leyen and President Biden in March 2022 and is accompanied by new regulations.
In addition to providing additional safeguards to protect personal data of EU data subjects by restricting bulk collection of personal data and granting individuals a right to independent and binding review and redress, the Executive Order extends privacy and civil liberties to all individuals, regardless of nationality or country of residence. The Executive Order also requires the U.S. intelligence community to update their policies and procedures and restricts activities of U.S. intelligence agencies to what is necessary and proportionate to a specific national security objective.
The draft adequacy decision relies largely on the obligations introduced by the Executive Order to support its findings on the adequacy of the safeguards provided by the U.S. legal framework to protect personal data.
- New redress mechanism
Under the DPF, EU data subjects can lodge complaints regarding non-compliance by EU-U.S. DPF-certified organizations and to have these complaints resolved—if necessary by a decision providing an effective remedy. Individuals may bring a complaint to the organization itself, to an independent dispute resolution body designated by the organization, to the U.S. Federal Trade Commission, to the U.S. Department of Commerce, and/or to a national Data Protection Authority (“DPA”) in the EU. An organization must cooperate with the national DPA under certain circumstances (e.g., when the complaint concerns the processing of HR data or when the organization has voluntarily submitted to the oversight of DPAs). Individuals may pursue any or all of these redress mechanisms and are not bound by any specific sequence. If none of these avenues resolves the complaint, data subjects may invoke binding arbitration.
The European Commission also assessed in detail the new redress mechanism established in the Executive Order for complaints from individuals concerning U.S. signals intelligence activities. This consists of a two-layer redress mechanism, with independent and binding authority, which introduces new guarantees aimed at ensuring fair trial and due process.
The lack of appropriate redress mechanisms in the EU-U.S. Privacy Shield was a major concern of the CJEU in Schrems II. The adoption of the above-mentioned remedies addresses this concern.
- General mechanism of the EU-U.S. Privacy Shield maintained
With the exception of the redress mechanism, the general functioning of the DPF is largely similar to what existed under the EU-U.S. Privacy Shield. U.S.-based businesses will be able to join the DPF by complying with a comprehensive set of principles as well as with the privacy obligations set forth in the Executive Order and its implementing regulations.
EU Data Transfer Requirements
For transfers of personal data to countries outside of the European Economic Area, controllers must rely on the tools listed in Chapter V of the GDPR. One of those tools is an adequacy decision by the European Commission according to Article 45 of the GDPR. An adequacy decision is issued if the European Commission decides that the third country ensures an adequate level of data protection.
If the U.S. is approved as a country with data adequacy on the basis of the DPF, data transfers from the EU by businesses that are certified to the DPF will no longer require separate data transfer mechanisms to provide additional safeguards. While the adoption of an adequacy decision is pending, businesses may still rely on other valid data transfer mechanisms recognized by the GDPR such as Binding Corporate Rules and Standard Contractual Clauses ("SCCs").
Relevance of Adequacy Decision for Local Law Assessments under SCCs
SCCs are currently the most common mechanism for EU-U.S. data transfers and will likely remain a relevant data transfer mechanism even if an adequacy decision is adopted. As of December 27, 2022, all new and existing contracts must use the new SCCs released by the European Commission in June 2021 (“2021 SCCs”). When using SCCs, the parties need to conduct a prior assessment of the laws and practices of the third country of destination and analyze whether provisions in local law could prevent the data importer from complying with the SCCs (European Data Protection Board ("EDPB") Recommendations 01/2020; European Commission's practical guidance for businesses when relying on the 2021 SCCs).
In a letter attached as Annex III to the draft adequacy decision, U.S. Under Secretary of Commerce for International Trade expressed the hope that the arrangements surrounding the approval of the DPF will further facilitate reliance on other data transfer mechanisms, including SCCs. The draft adequacy decision does not expressly address whether the European Commission’s findings on adequacy may be relied on for the purposes of local law assessment prior to concluding SCCs with U.S. entities. In spite of this missing reference, businesses should be able to rely on the European Commission's assessment of the U.S. legal framework in the draft adequacy decision, once it is adopted.
The European Commission will now initiate the formal process towards the adoption of the draft decision. As part of this process, the EDPB will issue an opinion based on its assessment of the draft adequacy decision. Additionally, the European Commission must seek the approval from a committee composed of representatives of the EU member states. The European Parliament may also exercise its right of scrutiny over adequacy decisions. Once these steps are completed, the European Commission can proceed with adopting the adequacy decision. (When the adequacy decision relating to the Privacy Shield was adopted, the interval between the release of the draft decision and its adoption was about five months.)