On December 13, 2022, the European Commission published a draft adequacy decision on the EU-US Data Privacy Framework (the “Framework”), the successor to the EU-US Privacy Shield Framework that was famously struck down by Europe’s top court two years ago.
While the purpose of the draft adequacy decision, once adopted, is to permit transfers to US companies that certify to the Framework, the effect is much broader: this decision will bring much-needed certainty for EU-US data transfers based on other mechanisms too – including standard contractual clauses, which account for the majority of data transfers.
Background and what happens next
We’ve covered the twists and turns of the EU-US data transfer saga before (see Déjà Vu All Over Again: EU High Court Invalidates Privacy Shield For EU–U.S. Data Transfers; Post Schrems II Guidance: EU Regulators Raise Bar For Global Data Transfers; Navigating EU Data Transfers: Effects of Schrems II Start to Bite; EDPB Defines a “Transfer” Under the GDPR; Use of Google Analytics by EU Websites Violates GDPR; and U.S. and EU Reach Political Agreement On a New Trans-Atlantic Data Privacy Framework: The Implications for Businesses).
This draft adequacy decision is the next step in the march towards full approval of the new Framework, which, once approved, will allow US companies to self-certify to the US Department Commerce their compliance with a set of agreed privacy principles in order to freely receive EU personal data. It is a clear signal that the European Commission considers President Biden’s Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” to address the US government access concerns that led the EU Court of Justice to strike down the Privacy Shield Framework. Read our blog post on the Executive Order here.
Now, the European Data Protection Board (“EDPB”) will review the draft adequacy decision and weigh in on the sufficiency of the protections. Although the EDPB’s findings are not binding, they could lead to additional changes if the EDPB raises significant concerns. The EDPB has not set a deadline for its review, but we expect the process to take at least 6 months. Once finalized, the European Commission will put the proposal before a committee of EU Member State representatives, which will have the final say.
Of course, even if (or when) the Framework is formally approved, the European Commission and European Parliament will continue to review the sufficiency of its protections. And data subjects, civil liberties groups, and data protection authorities may launch fresh challenges, which could lead to further scrutiny by the courts.
Key features of the draft decision
At 134 pages, the draft adequacy decision is a dense document that (1) sets out the Framework Principles that companies will need to adhere to if they want to rely on it, (2) provides supporting materials from US officials that explain how US laws, including the new Executive Order, protect EU personal data, and (3) analyzes the sufficiency of such safeguards and the Framework Principles against EU data protection standards.
The key takeaways for companies are:
- The Framework Principles remain (almost) unchanged from the previous Privacy Shield Principles. If you complied with the old Privacy Shield Framework, you should not need to make any material changes to your privacy program in order to re-certify to the new Framework, assuming it is approved in its current form.
- The European Commission thinks that Biden’s Executive Order addresses all the gaps that led to the invalidation of the Privacy Shield Framework. Specifically, the European Commission considers the new necessity and proportionality limitations on access for intelligence purposes and the new oversight and redress mechanisms (including the new Data Protection Review Court) to align to EU requirements.
Impact on TIAs and SCC transfers?
The draft adequacy decision and its supporting materials make clear that US protections from government access are not confined to transfers based on the Framework. As Bruno Gencarelli, head of International Data Flows at the European Commission, explained following the announcement:
“The safeguards we negotiated governing [US government] access – the safeguards on necessity, proportionality, requests – have been negotiated so that they will be effective . . . and they will apply to any transatlantic transfer regardless of the mechanism used, including transfers on the basis of standard contractual clauses or binding corporate rules.”
This means that if you export data to the US based on standard contractual clauses or binding corporate rules, you can rely on the European Commission’s determination that US law provides for sufficient protection from government access. As a result, your transfer impact assessments (“TIAs”) to support these transfers will be much shorter and simpler.
US-based companies should find it easier to persuade their European counterparts that the transfer to the US will not expose them to heightened legal risk, regardless of what transfer mechanism they use. For European companies, this adequacy decision will allow them to move ahead with those transfers with greater confidence.