On 13 December 2022, the European Commission published its draft adequacy decision (Draft Decision) in respect of the new EU-U.S. Transatlantic Data Privacy Framework (DPF). This marks the first step of the process towards adoption of this adequacy decision for the U.S. and is long-awaited news for many international businesses.
Background
The issue of how to approach EU to U.S. data transfers has been a point of concern for many businesses since the EU-U.S. Privacy Shield framework was invalidated by the Court of Justice of the European Union (CJEU) in July 2020 in the landmark Schrems II case
Following Schrems II, there was much speculation as to how the U.S. and the EU could address the issues of U.S. government surveillance highlighted in Schrems II, and once again reach a compromise to facilitate a new adequacy arrangement. In March 2022, European Commission President Ursula von der Leyen and U.S. President Joe Biden announced an agreement 'in principle' on a new framework to govern these transfers. Subsequently, on 7 October 2022, President Biden issued Executive Order 14086 (DPF Executive Order) which set out key commitments of the U.S. to the new privacy framework – in particular, a new two-tier redress mechanism for data subjects in the EU and oversight mechanisms on the U.S. signals intelligence agencies (for more information, please see our client alert here).
Key elements of the Draft Decision
The Draft Decision acknowledges the commitments of the Executive Order and sets out in further detail the changes that have been, and are being, put in place by the U.S. to satisfy the concerns raised by the CJEU in order to enable the DPF to move forward.
The European Commission explains that under the new framework, certain eligible organisations in the U.S. will be able to certify their participation in the framework (as they were able to under the Privacy Shield framework), by committing to a detailed set of principles regarding privacy, data security and data sharing. Obligations under the DPF's principles include:
- providing sufficient privacy notices;
- offering individuals a choice of whether their personal data is disclosed to a third party;
- purpose limitation and ensuring that data subjects have the right of access to their personal data; and in addition
- organisations must provide individuals in the EU with information on redress mechanisms to address complaints, either with the organisation itself or with an independent dispute resolution body.
Organisations will need to re-certify to the framework each year, and again demonstrate their continued commitment to the obligations. Random 'spot checks' will be carried out on certified organisations to ensure that they are fully implementing their policies and procedures.
The Draft Decision confirms the following key elements of the new proposed framework as initially set out in the DPF Executive Order:
Necessity and proportionality. U.S. signals intelligence (SIGINT) authorities' access to data will be restricted to that which is (i) necessary to advance a validated intelligence priority; and (ii) proportionate, balancing the importance of intelligence against the impact on privacy and civil liberties of individuals, based both inside and outside of the U.S.
Surveillance limitations and oversight. SIGINT agencies are subject to increased limitations and safeguards on surveillance activities under the DPF Executive Order. There will be increased oversight to monitor compliance with such, and agencies will be required to implement these new safeguards within their own policies and procedures by 7 October 2023.
Redress mechanism (intelligence agencies). Under a two-layer redress mechanism, individuals in the EU will firstly be able to lodge a complaint against SIGINT agencies with the Civil Liberties Protection Officer, and then may appeal a decision to the new Data Protection Review Court. The court will be compiled of government members who can only be dismissed for serious cause and cannot receive instruction from the U.S. government.
Redress mechanisms (organisations). In addition to the mechanism above, the Draft Decision also sets out numerous redress options for individuals in the EU against certified organisations that process their personal data and fail to comply with the framework.
Analysis and commentary
The DPF shares several similarities with the Privacy Shield framework. The DPF's principles, certification and re-certification process are substantially similar to their equivalents under the Privacy Shield framework. In addition, the eligibility criteria for participating organisations remains substantially similar: only organisations that are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT) may be eligible for certification under the DPF. This will be disappointing to organisations outside of the jurisdiction of the FTC or DoT, such as depository institutions (i.e., banks, federal credit unions, and savings and loan institutions), who were anticipating an expanded scope of eligibility under the DPF.
A key concern of organisations is the durability of the DPF. In more ways than one, the unofficial designation of the DPF as "Privacy Shield 2.0" in public commentary also reflects concerns that it will be subject to a similar legal challenge as its predecessor. Privacy activists, such as NOYB's Max Schrems of the eponymous Schrems II case, have criticised the DPF Executive Order, in particular over the effectiveness of the redress and oversight mechanisms, and have indicated that a similar legal challenge to the DPF will be forthcoming.
Didier Reynders, the EU Justice Commissioner, has also indicated that a legal challenge is likely, but has suggested that the DPF is more than likely to survive it. A similarly optimistic assessment on the DPF was also published by the Hamburg data protection authority in November, which indicated that the DPF Executive Order was able to address the concerns raised by the CJEU in Schrems II.
Next steps and practical takeaways
The Draft Decision is currently making its way through the EU's lengthy comitology procedure. The European Data Protection Board (EDPB) is currently analysing the draft decision and, once concluded, will issue its (non-binding) opinion. Following this, a committee comprised of representatives from each EU Member State will need to approve the decision, and the European Parliament will also review and may raise objections.
If the Draft Decision receives approval, a finalised adequacy decision can be adopted by the European Commission and organisations may certify to the DPF in order to transfer personal data from the EU to the U.S. without the need for other data transfer mechanisms. We understand that the approved text of the Draft Decision may be available as soon as in the spring of 2023. However, the EDPB's opinion will be influential in this process, and substantial criticism will likely require further revisions and delays to the finalised decision.
For now, organisations may want to consider factoring the Draft Decision and the DPF Executive Order into their data transfer impact assessments to build a more comprehensive overview of the laws and practices of the U.S.
Organisations may also consider assessing their practices to determine whether a future certification to the DPF based on the current wording of the Draft Decision is suitable. Organisations that have previously certified to the Privacy Shield framework should also assess whether their practices still qualify for certification or, if they have substantially evolved, what steps will be needed for re-certification.
Beyond this, organisations should continue to implement existing data transfer mechanisms, such as the EU Standard Contractual Clauses, to lawfully transfer data from the EU to the U.S. We are watching this space for updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.