Towards adequacy; The European commision’s draft decision on the EU-US data privacy framework
FOLLOWING THE ANNOUNCEMENT ON 7 OCTOBER 2022 THAT PRESIDENT BIDEN HAD SIGNED AN EXECUTIVE ORDER (ORDER) TO IMPLEMENT THE EUROPEAN UNION-UNITED STATES DATA PRIVACY FRAMEWORK (EU-U.S. DPF), THE EUROPEAN COMMISSION STARTED THE PROCESS, ON 13 DECEMBER 2022, OF ADOPTING AN ADEQUACY DECISION FOR SAFE DATA FLOWS WITH THE UNITED STATES (US) PAVING THE WAY TO THE ADOPTION OF THE EU-US DPF.
With the introduction of new safeguards to address its predecessors’ shortcomings, the viability of the new scheme will be the subject of much attention over the coming months.
In this article, we set out the journey which has led to this draft adequacy decision of the European Commission, as follows:
- History of EU-US Data Flows
- EDPB Concerns on the EU-US Privacy Shield Framework and the CJEU Schrems II Decision
- The Draft Adequacy Decision on the EU-US DPF
1. BACKGROUND HISTORY OF EU-US DATA FLOWS
Under EU Data Protection laws, including the General Data Protection Regulation (GDPR), transfers of personal data from the European Union (EU)/European Economic Area (EEA) to non-EU/EEA countries (third countries) are prohibited unless they are:
- 1. based on an adequacy decision of the European Commission;
- 2. subject to appropriate safeguards; or
- 3. permitted by specific derogations.
Armed with the power to determine whether a third country provides an adequate level of protection comparable to that provided under European laws, the European Commission has consistently failed to recognise the US as adequate.
As a result, there have been numerous attempts to secure compliant transfers of personal data which predate GDPR. These start with the EU-US Safe Harbor Framework (A) and then (B) the EU-US Privacy Shield Framework.
A. EU-US SAFE HARBOR FRAMEWORK (SAFE HARBOR) – 2000
a) What? – An agreement between the European Commission and the US Department of Commerce, reached under the EU Data Protection Directive 1995, allowing US companies to self-certify that they would uphold seven privacy principles for personal information received from the EU and related requirements including: notice, choice, onward transfer, access, security, data integrity and enforcement.
b) Downfall – On 6 October 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor arrangement on the basis that it did not adequately protect personal data from interference from US surveillance public authorities. (CJEU Schrems I case)
B. EU-US PRIVACY SHIELD FRAMEWORK (PRIVACY SHIELD) – 2016
a) What? – Replacing Safe Harbor, the US Department of Commerce and the European Commission reached a new agreement which culminated with an adequacy decision on 12 July 2016. The adoption of the Privacy Shield enabled organisations to apply to the US Department of Commerce for certification and required them to comply with 7 privacy principles including: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, resources, enforcement and liability.
b) Downfall – In 2020, after a second challenge from Max Schrems, the CJEU invalidated the Privacy Shield due to “concerns that the level of access to EU personal data by US law enforcement agencies, and a lack of effective oversight, failed to adequately protect the rights of EU data subjects”. (CJEU Schrems II)
2. EDPB CONCERNS ON THE PRIVACY SHIELD AND CJEU SCHREMS II DECISION
We will consider (A) the concerns raised by the European Data Protection Board (EDPB) in relation to the Privacy Shield over two successive reports which eventually led to (B) the CJEU Schrems II decision.
A. EDPB’S ANNUAL REPORTS ON THE PRIVACY SHIELD
On 28 November 2017, the Article 29 Working Party (A29WP, predecessor to the EDPB) clearly voiced in its first annual Joint Review Report significant concerns which, if not rectified by the European Commission, would lead to a legal challenge against the Privacy Shield’s adequacy decision. In particular, it identified not only issues on the commercial aspects of the Privacy Shield such as a lack of information on the principles and of clarity in relation to the processing of HR data and automated decision making/profiling, but also concerns in relation to the collection of data, the oversight to judicial redress and the supervision mechanisms related to law enforcement and national security.
On 22 January 2019, the EDPB continued to raise concerns in its Report on the second annual review of the Privacy Shield, in spite of progress being made on the commercial aspects of the Privacy Shield. The EDPB raised mainly four major concerns:
a) National security
Although the authorisation of section 702 of the Foreign Intelligence Surveillance Act could have given an opportunity to US legislators to introduce additional safeguards for the processing of EU citizens’ personal information against massive and indiscriminate access practices, no significant change was made.
b) Lack of substantive oversight
US companies’ compliance with the Privacy Shield’s principles remained unchecked, in particular in relation to onward transfers which would have required organisations to put in place contracts with third parties.
c) Lack of any effective redress mechanism
Standing requirements under US law curtailed the ability of EU citizens to seek redress.
Appointment of a permanent ombudsperson was still awaited.
Despite the non-binding nature of the EDPB’s opinion, its validity was indisputable. The CJEU’s eventual invalidation of the Privacy Shield in 2020 only added weight to the EDPB’s view that the shortcomings of US laws identified in successive reports had not been resolved.
B. CJEU SCHREMS II DECISION
On 16 July 2020, the CJEU in the landmark Schrems II case reached two major decisions which, ever since, have fundamentally disrupted international data flows between not only the EU/UK and the US but also with the rest of the world.
a) The Decision
Firstly, the CJEU invalidated the EU-US Privacy Shield, pointing to the possibilities of mass and indiscriminate surveillance that exists under US national security laws (namely the US Foreign Intelligence Surveillance Act (FISA) Section 702, Executive Order 12333 and Presidential Policy Directive 28). US public authorities’ use of and access to EU data was not restricted by the principle of proportionality.
In particular, the Court was forced to conclude that data subject rights were not actionable before the courts against US authorities. The Ombudsman mechanism, meant to assist with the operation of such rights and constitute a protection mechanism, did not achieve this purpose nor was given the powers to challenge decisions of US intelligence services, if need be.
Secondly, the Court also cast serious doubt over the extent to which transfers can be fully legitimised by the European Commission’s Standard Contractual Clauses (SCCs) for personal data transfers to the US and globally. Although the SCCs are still considered valid as a transfer mechanism in principle, EU/UK organisations are subject to additional new requirements when using SCCs to legitimise data transfers to third countries.
Data controllers or data processors relying on SCCs are required to “verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.” Transfer impact assessments were to become a significant new challenge for organisations to contend with when relying on SSCs for data transfers to third countries.
b) The EU Guidance
In the wake of the CJEU decision in Schrems II, the European Union bodies had to work hard to produce guidance and instruments to clarify their requirements for international transfers of personal data including on how to conduct transfer impact assessments.
On 24 July 2020, the EDPB published a set of Frequently Asked Questions (FAQs) on the implications of Schrems II but fell short of providing practical guidance.
On 11 November 2020, the EDPB issued long-awaited formal guidance for consultation on the assessment of transfers of data to third countries following Schrems II (EDPB Guidance). The EDPB Guidance comprises two documents:
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Supplementary Measures Recommendations) ; and,
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (EEG Recommendations).
In perfect synchronicity, the European Commission published its new updated SCCs the following day (12 November 2020) incorporating all new Schrems II requirements. The final SCCs were published on 4 June 2021.
3. THE DRAFT ADEQUACY DECISION ON THE EU-US DPF IN BRIEF
With scope for a new and improved Privacy Shield 2.0, the process of adopting an adequacy decision was launched by the European Commission with its Draft Decision on 13 December 2022. As the culmination of President Biden’s Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities” , published on 7 October 2022, along with the regulations issued by US Attorney General Merrick Garland, dated 26 October 2022, the EU-US DPF represents a viable replacement to the Privacy Shield allowing for the free flow of data between the EU to the US. We set out below a summary of the main features of the EU-US DPF which are meant to address the EDPB concerns raised previously in relation to the Privacy Shield (A) before analysing the risks associated with potential future challenges to the new scheme (B).
A. EU-US DPF NEW FEATURES – A RESPONSE TO EDPB CONCERNS
The Draft Decision sets out the methodology followed by the Commission in its assessment of U.S. law and practice, including EO 14086 and the AG Regulation before concluding that the US “ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations in the United States.”
The new scheme follows the same mechanism as the Privacy Shield as it is made available to US organisations who are “certified” under the EU-US DPF, thereby committing them to a new set of privacy principles: the “EU-US Data Privacy Framework Principles” including the Supplemental Principles (together: the Principles).
While self-certification under the EU-US DPF is voluntary, organisations which decide to self-certify must comply.
Eligible organisations must comply with the following criteria:
a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (the FTC), the U.S. Department of Transportation (the DOT) or another statutory body that will effectively ensure compliance with the Principles;
b) declare publicly their commitment to adhere to the Principles;
c) publicly disclose its privacy policies in line with these Principles; and,
d) fully implement them.
The new EU-US DPF will comprise of three elements:
a) the Principles to which US organisations may self-certify,
b) the safeguards and limitations regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes; and,
c) new redress mechanisms made available to data subjects.
Accordingly, the EU-US DPF appears to directly address EDPB criticisms of its predecessor, the Privacy Shield, including:
a) limiting US intelligence agencies’ access to EU data to what is necessary and proportionate to protect national security;
b) prohibiting the commencement of new intelligence-gathering operations without an initial assessment carried out by the Civil Liberties Protection Officer (CLPO);
c) allowing individuals from qualifying states to lodge complaints with the CLPO where they believe their personal data has been collected unlawfully; and,
d) providing data subjects dissatisfied with the decision of the CLPO to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, by appealing to the newly created Data Protection Review Court (DPRC), consisting of at least six independent judges. It will be able to independently investigate and resolve complaints from European individuals, including by adopting binding remedial measures.
B. TOWARDS SCHREMS III
As the EU-US DPF progresses through the adoption procedure, it will continue to face considerable hurdles before organisations can rely on it. The EU-US DPF is not expected to be finalised before July 2023. The Commission will next be required to submit its draft decision to the EDPB which will subsequently issue its own opinion. The Commission will then request approval from a committee composed of EU Member States’ representatives. At any point, the European Parliament may scrutinise the adequacy decision and adopt a non-binding position. Most revealing, however, will be the EDPB opinion on the draft adequacy decision. Despite its non-binding status, it is likely to expose the EU-US DPF’s shortcomings, including, amongst others:
a) the fragility of the EU-US DPF’s implementation as an Executive Order rather than legislation passed in Congress;
b) the susceptibility of requirements such as “necessity“, “proportionality“, and “minimisation” to liberal interpretation;
c) the integration of redress mechanisms such as the new Data Protection Review Court with the executive branch and the potential ensuing impartiality; and,
d) the ability of redress bodies to withhold facts and merits in their responses, restricting a data subject’s ability to bring an informed appeal.
No sooner had the draft adequacy decision been published that Max Schrems had already rendered its verdict. Commenting, he said that “[the proposed redress system] is an upgrade, but it’s still going to be very hard for the CJEU to look at that and say that it is a court under Article 47 [of the EU Charter of Fundamental Rights]”. Mr Schrems’ criticism of the EU-US DPF raises concerns that Schrems III may be on the horizon.
As such, just like for the Privacy Shield, the imminent EDPB opinion will be a decisive indication of the EU-US DPF’s likely success.