Decidedly adequate? European Commission begins the process for adopting the EU-US Data Privacy Framework
On 13 December 2022, the EU Commission launched the process to adopt a new ‘adequacy decision’ for personal data transfers to recipients based in the US. This marks the next step in the creation of the so-called EU-US Data Privacy Framework (the Framework), which aims to make it easier for companies to transfer personal data from the EU to US and is therefore likely to be of great interest to most EU companies.
For many EU companies, the transfer of personal data is a core part of their business or operating model. Even EU companies without US operations or customers often rely on cloud or other IT-related services provided by US tech companies that require data transfers to the US.
What is an adequacy decision?
The EU General Data Protection Regulation (GDPR) restricts the transfer of personal data to recipients based in countries outside the EEA unless the EU Commission has adopted a so-called ‘adequacy decision’ that confirms that the level of protection for personal data is adequate in the respective non-EEA country. If there is no such adequacy decision, transfers of personal data subject to the GDPR require specific transfer mechanisms to be used, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs), or applicable derogations.
However, an adequacy decision is a much simpler solution than relying on SCCs or BCRs (the most common transfer mechanisms). This is because SCCs require the data exporter to put in place further contractual terms, BCRs require a prior approval from the competent supervisory authority and organisations using SCCs and BCRs must also undertake a transfer impact assessment of each transfer and may need to implement additional technical and organisational measures.
Nevertheless, it is a challenging process for any country to obtain an adequacy decision and their validity can be challenged before the EU’s Court of Justice (CJEU). The proposed Framework is the third attempt to establish a streamlined data mechanism based on an adequacy finding in order to facilitate transfers of personal data from the EU to US. In its 2020 landmark ‘Schrems II’ decision the CJEU declared the EU Commission’s adequacy decision that underpinned the widely used ‘Privacy Shield’ was invalid. The Privacy Shield facilitated the transfer of personal data subject to the GDPR to US entities that (self-)certified their compliance with certain principles. In particular, the CJEU found that applicable surveillance laws in the US omitted necessary proportionality elements and that the Privacy Shield lacked an effective redress mechanism. The predecessor of the Privacy Shield, the Safe Harbour Agreement, had previously met the same fate and been declared invalid by the CJEU in 2015.
The EU-US Data Privacy Framework
After the announcement of an ‘agreement in principle’ between EU Commission President Ursula von der Leyen and US President Joe Biden on EU-US data transfers in March 2022, Biden signed the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities on 7 October 2022 (see our previous blog here) complemented by a Regulation on the Data Protection Review Court issued by the US Attorney General. The Executive Order provides for new limitations and safeguards intended to address the CJEU’s criticism regarding proportionality of US signals intelligence activities as well as providing a new two-level redress mechanism for individuals to obtain independent review of such activities.
In line with the now invalidated Privacy Shield, the proposed adequacy decision for data transfers to US recipients will have a specific name and is supposed to be called the EU-US Data Privacy Framework (which is slightly different than ‘Trans-Atlantic Data Privacy Framework’ as it has been announced previously).
Similar to the previous Privacy Shield, the proposed adequacy decision and Framework will only allow the transfer of personal data to certain in-scope US companies that have self-certified (further details are below). The proposed adequacy decision is therefore far narrower than many other adequacy decisions that are not limited to specific recipients and reflects that the US does not have a general uniform data protection law comparable to the GDPR.
According to current plans, the Framework will only apply to transfers to US companies fulfilling certain prerequisites. In particular, the US company must:
- be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the US Department of Transportation (DoT);
- self-certify themselves under the Framework by publicly declaring the commitment to comply with the Framework Principles (Principles);
- disclose privacy policies in line with the Principles; and
- have fully implemented the Principles.
As part of its self-certification, a US company will need to submit certain information to the US Department of Commerce (DoC) to be placed on the Data Protection Framework List. The US company will then have to re-certify itself on an annual basis to be able to invoke the adequacy decision for transfers from the EU. The DoC will administer and monitor certified US companies regarding compliance with the mentioned prerequisites, whereas the FTC and DoT will be responsible for potential enforcement action.
A narrow exception is that personal data collected for publication, broadcast or other forms of public communication of journalistic material and information in previously published material disseminated from media archives cannot be transferred on the basis of the Framework.
The Principles of the Framework mirror the GDPR provisions to a large extent even though they are not identical. In certain cases, US companies are required to cooperate with European data protection authorities.
The draft for the Framework has now been sent to the European Data Protection Board (EDPB) for its opinion. Following the receipt of comments by the EDPB, the EU Commission must obtain approval of the draft adequacy decision by a committee comprising representatives of the EU Member States. The EU Parliament may also scrutinise the decision, but cannot affect its validity. Following review by these bodies, the EU Commission may adopt a final adequacy decision and thereby formalise the Framework.
It is generally expected that the final adequacy decision may be adopted in summer of 2023. However, it remains to be seen whether the Framework will become effective immediately since the US intelligence community was given a longer transitional period to implement the safeguards under the Executive Order.
Even though the Framework is supposed to bring legal certainty for data transfers to the US, at this stage it is unclear whether it will overcome expected legal challenges. Data protection activists, such as Max Schrems, and supervisory authorities in Germany have argued that the additional protections introduced by the Executive Order are insufficient. Schrems has announced that he might challenge the Framework, as he successfully did with its predecessors.
Implications for UK companies
UK data protection laws are based on the GDPR and also restrict cross-border transfers of personal data to countries that the UK does not view as providing an adequate level of data protection, including to the US. The Framework will only address transfers of personal data to the US under EU law and not apply under UK law.
As such, companies that intend to transfer data subject to UK data protection laws between the two countries must rely on another mechanism, such as the UK equivalent of SCCs or UK BCRs (see here for more on the UK BCRs), and conduct a transfer risk assessment.
The UK and US governments are working on a potential equivalent UK-US framework and the UK government has stated its intention to make preparation for laying adequacy regulations in Parliament and issuing guidance for organisations and individuals in early 2023.