European Commission Publishes U.S. Draft Adequacy Decision – Privacy Protection

On 13 December 2022, the European Commission published its draft adequacy decision for
EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S.
Data Privacy Framework (“DPF”) in March 2022 as well as
the Executive Order on Enhancing Safeguards for United
States Signals Intelligence Activities (“Executive
Order”) signed by President Biden in October 2022, which aimed
at implementing the commitments of the U.S. under the DPF.

If the draft adequacy decision is adopted, the DPF will be the
successor to the EU-U.S. Privacy Shield, which was based on an
adequacy decision of the European Commission declared invalid under
the General Data Protection Regulation (“GDPR”) by the
Court of Justice of the European Union (“CJEU”) in its Schrems II decision in July 2020. The
DPF is expected to tackle the concerns of the CJEU with respect to
transfers of EU personal data to the U.S.

This Legal Update summarizes the key developments relating to
the draft adequacy decision and the next steps that are required
for its adoption.

Key Elements of the Draft Adequacy Decision

• Acknowledgment of the safeguards implemented under the
  U.S. Executive Order

The U.S. Executive Order implements the commitments made by the
U.S. in the agreement announced by President von der Leyen and
President Biden in March 2022 and is accompanied by new
regulations.

In addition to providing additional safeguards to protect
personal data of EU data subjects by restricting bulk collection of
personal data and granting individuals a right to independent and
binding review and redress, the Executive Order extends privacy and
civil liberties to all individuals, regardless of nationality or
country of residence. The Executive Order also requires the U.S.
intelligence community to update their policies and procedures and
restricts activities of U.S. intelligence agencies to what is
necessary and proportionate to a specific national security
objective.

The draft adequacy decision relies largely on the obligations
introduced by the Executive Order to support its findings on the
adequacy of the safeguards provided by the U.S. legal framework to
protect personal data.

Under the DPF, EU data subjects can lodge complaints regarding
non-compliance by EU-U.S. DPF-certified organizations and to have
these complaints resolved—if necessary by a decision
providing an effective remedy. Individuals may bring a complaint to
the organization itself, to an independent dispute resolution body
designated by the organization, to the U.S. Federal Trade
Commission, to the U.S. Department of Commerce, and/or to a
national Data Protection Authority (“DPA”) in the EU. An
organization must cooperate with the national DPA under certain
circumstances (e.g., when the complaint concerns the processing of
HR data or when the organization has voluntarily submitted to the
oversight of DPAs). Individuals may pursue any or all of these
redress mechanisms and are not bound by any specific sequence. If
none of these avenues resolves the complaint, data subjects may
invoke binding arbitration.

The European Commission also assessed in detail the new redress
mechanism established in the Executive Order for complaints from
individuals concerning U.S. signals intelligence activities. This
consists of a two-layer redress mechanism, with independent and
binding authority, which introduces new guarantees aimed at
ensuring fair trial and due process.

The lack of appropriate redress mechanisms in the EU-U.S.
Privacy Shield was a major concern of the CJEU in Schrems
II. The adoption of the above-mentioned remedies addresses
this concern.

• General mechanism of the EU-U.S. Privacy Shield
  maintained

With the exception of the redress mechanism, the general
functioning of the DPF is largely similar to what existed under the
EU-U.S. Privacy Shield. U.S.-based businesses will be able to join
the DPF by complying with a comprehensive set of principles as well
as with the privacy obligations set forth in the Executive Order
and its implementing regulations.

EU Data Transfer Requirements

For transfers of personal data to countries outside of the
European Economic Area, controllers must rely on the tools listed
in Chapter V of the GDPR. One of those tools is an adequacy
decision by the European Commission according to Article 45 of the
GDPR. An adequacy decision is issued if the European Commission
decides that the third country ensures an adequate level of data
protection.

If the U.S. is approved as a country with data adequacy on the
basis of the DPF, data transfers from the EU by businesses that are
certified to the DPF will no longer require separate data transfer
mechanisms to provide additional safeguards. While the adoption of
an adequacy decision is pending, businesses may still rely on other
valid data transfer mechanisms recognized by the GDPR such as
Binding Corporate Rules and Standard Contractual Clauses
(“SCCs”).

Relevance of Adequacy Decision for Local Law Assessments under
SCCs

SCCs are currently the most common mechanism for EU-U.S. data
transfers and will likely remain a relevant data transfer mechanism
even if an adequacy decision is adopted. As of December 27, 2022,
all new and existing contracts must use the new SCCs released by the European Commission
in June 2021 (“2021 SCCs”). When using SCCs, the parties
need to conduct a prior assessment of the laws and practices of the
third country of destination and analyze whether provisions in
local law could prevent the data importer from complying with the
SCCs (European Data Protection Board (“EDPB”) Recommendations 01/2020; European
Commission’s practical guidance for businesses when relying
on the 2021 SCCs).

In a letter attached as Annex III to the draft adequacy
decision, U.S. Under Secretary of Commerce for International Trade
expressed the hope that the arrangements surrounding the approval
of the DPF will further facilitate reliance on other data transfer
mechanisms, including SCCs. The draft adequacy decision does not
expressly address whether the European Commission’s findings on
adequacy may be relied on for the purposes of local law assessment
prior to concluding SCCs with U.S. entities. In spite of this
missing reference, businesses should be able to rely on the
European Commission’s assessment of the U.S. legal framework in
the draft adequacy decision, once it is adopted.

Next Steps

The European Commission will now initiate the formal process
towards the adoption of the draft decision. As part of this
process, the EDPB will issue an opinion based on its assessment of
the draft adequacy decision. Additionally, the European Commission
must seek the approval from a committee composed of representatives
of the EU member states. The European Parliament may also exercise
its right of scrutiny over adequacy decisions. Once these steps are
completed, the European Commission can proceed with adopting the
adequacy decision. (When the adequacy decision relating to the
Privacy Shield was adopted, the interval between the release of the
draft decision and its adoption was about five months.)