Since Schrems II invalidated the US/EU Privacy Shield, the flow of personal data from the European Union to the United States has been subject to intense regulatory scrutiny. Companies transferring personal data to the United States have had to rethink their strategy for lawfully transferring personal data, which commonly included adopting the EU Standard Contractual Clauses and conducting time-consuming transfer risk assessments in line with the guidance from the European Data Protection Board (EDPB) and regional data protection authorities. However, companies may soon get a reprieve from these challenges. On December 13, 2022, the European Commission adopted a draft adequacy decision designating the EU-U.S. Data Privacy Framework (Framework) as “adequate” under the EU General Data Protection Regulation (GDPR). The European Commission’s proposal of this draft adequacy decision paves the way for a reliable mechanism for EU-U.S. data transfers, at least until it faces the inevitable legal challenges.
DRAFT ADEQUACY DECISION
Based in significant part on the October 2022 issuance of US President Joe Biden’s Executive Order, the European Commission proposed an adequacy decision for the United States premised on (1) additional safeguards for EU individuals whose information is sent to US-based companies who have certified compliance to the Framework and (2) additional safeguards related to the collection of personal data by US intelligence agencies, including limiting US intelligence authorities’ access to personal data and enhancing oversight of US intelligence authorities’ data collection activities.
The draft decision reinforces the privacy obligations on US companies committing to join the Framework. For example, certifying companies will need to comply with traditional privacy principles of data minimization, provide data subjects with a privacy notice, offer data subjects rights with respect to their personal data and execute contracts with companies with whom they share personal data. Many companies will already be familiar with similar obligations under the various US state privacy laws, and the requirements are not materially different from prior iterations of the EU-U.S. Privacy Shield. The European Commission’s announcement also highlights the fact that under the new Framework, EU citizens “will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.”
Taking direct aim at the criticisms of the Privacy Shield, the European Commission explained that the new Framework is different from the Privacy Shield because it “establishes a new two-layer redress mechanism [for individuals], with independent and binding authority.” This includes establishing a new Data Protection Review Court to investigate and resolve individual complaints regarding access to their data by US national security authorities.
Between this new redress mechanism, limitations on US intelligence data collection and the detailed process that will be required for compliance with the Framework, the European Commission is signaling that it believes the new Framework can withstand legal challenges.
WHERE DO WE GO FROM HERE?
The adequacy decision process began with the European Commission publishing this draft adequacy decision. That draft decision now goes to the EDPB, which will review and issue an opinion. The draft decision will then move through committee for EU Member State approval. Once that process is completed—and assuming that the decision survives those different layers of scrutiny—the European Commission can adopt the final adequacy decision. This process could take as little as one month, but there is an expectation that it could take up to six months.
WHAT CAN US COMPANIES DO NOW?
Past attempts to create a trans-Atlantic data framework have been invalidated twice by the Court of Justice of the European Union, in 2015’s Schrems I and 2020’s Schrems II. This time, however, the European Commission is taking the affirmative position that the new EU-U.S. Data Privacy Framework addresses the issues raised by the Court of Justice of the European Union in Schrems II. Mr. Schrems, however, has already said: “As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again—in flagrant breach of our fundamental rights.” It is thus a near certainty that he will file yet another action to challenge this latest framework.
Today’s announcement is still welcome news for US companies who are eagerly awaiting a simplified data transfer mechanism for their increasingly global businesses. A new cross-border data transfer framework will ease the administrative burden many are contending with alongside alternative solutions, such as Standard Contractual Clauses. US-based importers of personal data should evaluate the Framework’s requirements and determine whether they will join the Framework. Companies can take steps now to assess what gaps in their compliance programs may need to be remediated before certification to best position themselves for quick certification once the Framework is formally adopted.
If you have any questions about the implementation of the new EU-U.S. Data Privacy Framework or other cross-border transfer questions, please contact your regular McDermott lawyer or the authors listed below.