On December 13, 2022, the European Commission (“Commission”) formally launched the process to adopt an adequacy decision for the EU – U.S. Data Privacy Framework and proposed a draft adequacy decision concerning personal data transfers to the U.S. (available here).
The draft adequacy decision follows the signature of an Executive Order by US President Biden on October 7, 2022 (“Order;” previously discussed here) which implemented into U.S. law commitments made regarding a new EU-US Data Privacy Framework to replace the EU – US Privacy Shield pursuant to the agreement in principle announced on March 25, 2022 (as previously discussed here).
In the draft adequacy decision, the Commission first assesses the Data Privacy Framework and its related obligations for companies as well as limitations and safeguards on U.S. public authorities’ access to personal data on criminal law enforcement and national security grounds.
As expected, the draft adequacy decision then concludes that the U.S. has taken steps to ensure that the current U.S. data privacy regime does not undermine the level of protection of personal data transferred from the EU to the U.S. under the relevant EU laws.
This conclusion is based on the main safeguards that are provided by the US Executive Order including:
- New rules limiting access to personal data by US intelligence authorities to what is necessary and proportionate to advance a validated intelligence priority in pursuit of defined, legitimate national security objectives, and requiring prioritization of “targeted” as opposed to “bulk” data collection;
- Mandatory “handling requirements” such as the establishment of policies and procedures designed to minimize the dissemination and retention of personal information collected through signals intelligence activities and implementation of data security and access safeguards that provide appropriate protection and prevent access by unauthorized persons;
- Obligations to update, in consultation with the Attorney General, the Civil Liberties Protection Officer and the Privacy and Civil Liberties Oversight Board, policies and procedures as necessary to implement the privacy and civil liberties safeguards in the Order and release those policies publicly, to the maximum extent possible, to enhance the public’s understanding of, and to promote public trust in, the safeguards pursuant to which the U.S. conducts signals intelligence activities;
- Increased supervision of U.S. intelligence services to ensure compliance with restrictions on surveillance activities; and
- The establishment of an independent and impartial, multi-layer redress mechanism, including a newly created Data Protection Review Court composed of members from outside the U.S. government, to investigate complaints and issue binding decisions regarding data access by US national security authorities.
It is important to note that the safeguards under the Data Privacy Framework (including the redress mechanism) will be available for all transfers of personal data to the U.S. under the GDPR, regardless of the transfer mechanisms used. This means that EU companies will be able to take into account the Data Privacy Framework in their data transfer impact assessments they are required to carry out when relying on contractual transfer mechanisms, namely the standard contractual clauses and binding corporate rules.
Next steps
The draft adequacy decision has now been sent to the European Data Protection Board for its opinion. The text will also have to be approved by a committee composed of representatives of the EU Member States and the European Parliament can exercise its right of scrutiny.
After this process, the European Commission is expected to adopt the final adequacy decision, which will allow data transfers from the EU to the companies that self-certify, and annually re-certify, to the U.S. Department of Commerce, and publicly commit to comply with, the new Data Privacy Framework, a list of which will be publicly available, maintained and annually reviewed by the U.S. Department of Commerce for accuracy.
After one year from the notification date of the adequacy decision to the Member States and subsequently at least every four years, the European Commission will carry out a new evaluation on the basis of all available information, including information obtained through the review carried out together with the US competent authorities. Moreover, where the European Commission has indications that an adequate level of protection is no longer ensured, it will inform the competent US authorities and, if necessary, decide to suspend, amend or repeal the adequacy decision, or limit its scope. It is likely that once the adequacy decision is finally adopted, it will eventually be subject to legal challenge before the EU courts, and ultimately the CJEU. Certain critics and privacy advocacy groups have also already publicly challenged the validity of this new adequacy decision and announced their intention to challenge it.