Towards an EU - US Adequacy Decision?
Personal data protection: Will the EU - U.S. adequacy decision lead to easier trans-Atlantic data flows?
On 22 July 2020, the Schrems II decision of the Court of Justice of the European Union (‘CJEU’) overturned the manner in which EU and UK personal data was transferred to the US.
The European Commission (‘Commission’) and the US government initiated discussions on a new trans-Atlantic Data Protection Framework to facilitate EU-US data flows and resolve concerns raised by the CJEU, leading to the announcement of an agreement in principle in March 2022. On 7 October 2022, President Biden signed an Executive Order on "Strengthening Safeguards for US Signals Intelligence Activities", along with regulations issued by the US Attorney General. This transposed the US commitments into US law and supplemented the obligations of US companies.
On this foundation, the Commission issued a draft adequacy decision on the EU-US framework for the protection of personal data on 13 December 2022. This draft reflects the Commission's assessment of the US legal framework and concludes that it provides comparable safeguards to those in the EU and ensures an adequate level of protection for data transferred from the EU to the US.
What happened in Schrems II?
In a preliminary hearing for the Schrems II case, where privacy activist Maximillian Schrems was contesting Facebook in Ireland over their personal data transfers to the US, the CJEU invalidated the EU-US Privacy Shield mechanism.
Facebook, alongside with thousands of other businesses, used to undertake such personal data transfers using either the Privacy Shield mechanism or the former EU Standard Contractual Clauses. The Privacy Shield was the safeguard mechanism for personal data transfers from the EEA to the US, allowing a US company certified under the framework to receive EEA personal data without having to rely on another mechanism under Chapter 5 of the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), such as entering into the previously mentioned Standard Contractual Clauses.
Nevertheless, the regime had its flaws, and after just four years of existence, the regime was declared illegitimate. This was primarily due to the broad data capture powers granted by US national security legislation, namely Section 702 of the Foreign Intelligence Surveillance Act (known as FISA) and Executive Order 12333, which contradicted Europe’s notion of fundamental rights under the EU Charter of Fundamental Rights (‘EU Charter’), and as a result, the GDPR.
It was also claimed that the framework did not provide sufficient mechanisms to resolve the discrepancy between US surveillance laws and EU privacy legislation. Notably, the Ombudsman system in place in the US was considered to lack “essential equivalence” with the procedures provided by the GDPR and the EU Charter.
The former Standard Contractual Clauses were also the topic of this decision, with the CJEU highlighting the modifications required to ensure that these were more than just a piece of paper signed and tossed into a drawer. The revised EU Standard Contractual Clauses, which were introduced on 4 June 2021, addressed this, however, a Privacy Shield-shaped hole has remained a concern for several businesses over the last 2 years.
What does the draft adequacy decision provide?
Negotiations between the US and the Commission have resulted in a draft adequacy decision on the EU-US framework for the protection of personal data, which allows for trans-Atlantic transfers possible. The key elements of this draft are as follows:
Certification
Companies self-certify to the US Department of Commerce under the former Privacy Shield regime (which still exists in the US ut cannot be utilised as a mechanism under the GDPR), which validates such self-declarations in order to provide certification. This certification framework is still in place, and numerous companies continue to self-certify as the certification itself can be seen as a badge of quality in terms of a company’s data protection policies in the US (particularly for international companies).
Regarding certification, US companies will be able to adhere to the EU-US data protection framework by committing to a detailed set of privacy obligations. These obligations include, for example, the obligation to erase data when it is no longer necessary for the purpose for which it was collected, and to maintain the protection of personal data when it has been transferred to third parties.
The effective implementation of this framework will also be ensured by the Department of Commerce's obligations of transparency and administration.
The US legal framework imposes a number of limitations and safeguards regarding access to data by US public authorities, including for criminal law enforcement and national security purposes. The new measures introduced in the Executive Order directly address the issues raised by the Schrems II judgment:
A multi-level redress mechanism
Under the draft adequacy decision, EU citizens will have access to several remedies, including free access to independent dispute resolution mechanisms and an arbitration panel.
The US allows Europeans to seek redress over the collection and use of their data by US intelligence agencies through an independent and impartial redress mechanism, which includes the creation of a Data Protection Review Court, composed of individuals selected from outside the US government. The Court will independently review and resolve complaints from Europeans, including adopting binding remedies where necessary.
This is in direct response to the concerns of the CJEU over the former US Ombudsman process and its lack of equivalence to the right of effective remedy before a tribunal stipulated under Article 47 of the EU Charter.
Necessary and proportionate data collection
Access by US intelligence agencies to European data will be limited to what is necessary and proportionate to protect national security. This is language taken from the GDPR and therefore, is an attempt to bring the US regime closer to the gold standard offered in the EU and the UK.
Such processing of EEA personal data must not have an undue impact the protection of individual privacy and civil liberties. However, the way that this plays out in practise remains to be seen.
The possibility to rely on these safeguards in conjunction with other transfer mechanisms
European companies will be able to rely on these safeguards for trans-Atlantic data transfers, even when using alternative transfer mechanisms, such as standard contractual clauses and binding corporate rules.
Will this be adequate in light of the Schrems II decision?
The Biden administration asserted, in its fact sheet announcing the agreement in principle, that there are more data transfers between the United States and Europe than anywhere else in the world, sustaining the $7.1 trillion US-EU economic relationship. As a result, the disruption generated by the Schrems II decision has taken a toll on this partnership in terms of personal data flows. Negotiations on “international transfer” provisions have taken up an increasing amount of time for several organisations, and in some circumstances, have become a sticking point or even a dealbreaker.
Companies in both the US and the EU are fully aware of this, having spent nearly two years depending on alternative transfer mechanisms, such as the Standard Contractual Clauses, which has more recently incorporated the requirement of undertaking transfer impact assessments.
Strongly inspired by the Executive Order issued last October, this draft adequacy decision significantly improves the Privacy Shield and can be seen as an important step toward ensuring the legal stability, predictability, and accountability of data flows for businesses of all sizes and for the trans-Atlantic relationship.
However, several key legal issues remain unresolved regarding its compliance with the requirements of EU law and the standards of the CJEU, including its effectiveness in protecting the fundamental privacy and data protection rights of US and European consumers, as NOYB pointed out in a press release expressing its initial reaction to the draft adequacy decision. In its opinion, the Executive Order’s modifications introduced to US law appear rather minimal. Moreover, as the draft adequacy decision is based on the Executive Order, NOYB concluded that any European Commission adequacy judgements based on the Executive Order will most likely fail satisfy the CJEU.
Ultimately, only time will tell if this draft adequacy decision meets the criteria required under the GDPR, if (or when) the new regime is brought before the CJEU.
What are the next steps?
The draft adequacy decision will now be subjected to the adoption procedure. The European Data Protection Board (‘EDPB’) will examine the draft and issue an opinion. Following this, the Commission will seek the approval of a committee composed of representatives from the EU Member States. It should be noted that the European Parliament will also have the option of reviewing the adequacy decision. Once this procedure is finalised, the Commission will be able to proceed with the adoption of the final adequacy decision.
In addition, the functioning of the EU-US data protection framework will be subject to periodic reviews, the first of which will begin within one year of the adequacy decision’s entry into force and will be carried out by the European Commission in collaboration with the European data protection authorities and the competent US authorities. The purpose of this is to ensure that all key elements of the US legal framework have been fully implemented and are functioning properly in practice.
As usual, if you need any assistance regarding your data protection matters, including international transfers then do not hesitate to contact us!
Article by Maude Lindfelt and Nathalie Pouderoux, December 2022