Table of contents
- Why is the European Commission’s Adequacy Decision Important?
- What Does the EC Draft Adequacy Decision State?
- What Are the Highlights of the EC Draft Adequacy Decision?
- What Principles Have Been Introduced Under EU-US DPF?
- Do Businesses Still Have to Conduct TIAs and Sign SCCs Under the New EU-US DPF?
- Can We Expect a Schrems III?
- Final Thoughts
The legal turmoil regarding cross-border data transfers from Europe to the US under the GDPR has had many twists and turns. Initially, the US and the EU entered into the Safe Harbor Agreement, 2000, which regulated cross-Atlantic data transfer and allowed the legal transfer of personal data between EU member countries and the US.
However, the Safe Harbor Agreement was struck down in 2015 in the famous Schrems I ruling. In this case, the Court of Justice of the European Union (CJEU) found that personal data from the EU was not sufficiently protected in the US, especially due to the intelligence activities of US public authorities, and thus invalidated the adequacy decision of the European Commission (EC) that led to the execution of the Safe Harbor Agreement.
Subsequently, the EC and the US negotiated a new framework for the trans-atlantic exchange of personal data in 2016, known as the Privacy Shield (PS). The PS framework was also challenged later on before the CJEU. In the Schrems II case, the CJEU invalidated the PS framework on the basis that it did not ensure an essentially equivalent level of protection (as offered under the EU law) for the personal data of EU subjects in the US.
These legal twists and turns had the potential to hinder trans-atlantic trade as the cost of compliance for US businesses to continue providing services in the EU were beginning to rise, and the uncertainty of the compliance landscape did not allow for long-term planning.
However, businesses will soon have much-needed legal peace of mind as the EC has published a draft adequacy decision for the EU-US Data Privacy Framework (DPF). The draft decision comes after the US President, Joe Biden, signed Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (EO 14086) in October 2022, addressing the concerns raised in the Schrems II case by the CJEU.
Read on as we discuss the importance of the EC’s draft adequacy decision, the highlights of the decision, and its implications.
Why is the European Commission’s Adequacy Decision Important?
The EU takes the privacy of its citizens seriously. Therefore, it has enacted data protection laws for the collection, processing, and transfer of personal data. These laws ensure that the EU residents’ personal data is well protected and the citizens have greater control over how their personal data is used. The EU’s General Data Protection Regulation (GDPR), which has inspired many countries to draft their own version of data protection laws, introduced one key aspect with regard to cross-border data transfer, i.e., Data Sovereignty.
The concept of Data Sovereignty demands that the personal data of an EU resident collected by a covered entity under the GPDR must always be provided a standard of protection essentially equivalent to the GDPR wherever or to whomever it is transferred.
Therefore, to facilitate legally compliant cross-border data transfers, the EC developed the framework of “adequacy decisions” as per Article 45 of the GDPR, through which the EC studies the laws of third-party jurisdictions to determine their ‘adequacy’, i.e., whether they provide an essentially equivalent level of protection to EU residents’ personal data as provided by the GDPR.
Thus, the adequacy decision is a formal determination made by the EC, specifying that the data protection measures in a particular country are essentially equivalent to that of the EU. Adequacy decisions by the EC enable a free flow of personal data transfer between the EU and the countries outside the European Economic Area (EEA), ensuring that the personal data of EU citizens are protected following the same standards as followed in the EU.
Without an adequacy decision, transfers of data to third countries fall under Article 46 of the GDPR, which provides onerous technical, contractual, and legal requirements to be fulfilled for data transfer to inadequate third countries or international organizations - thus, adequacy decisions are very helpful for trade.
What Does the EC Draft Adequacy Decision State?
Cross-border data transfers outside the EU, especially to the United States, have always been a huge concern. In this respect, in the Schrems II case, the CJEU expressed concern regarding the excessive access of personal data by the US intelligence agencies. The other aspects highlighted by the CJEU were the absence of a legal data protection framework that could provide an equivalent level of protection of personal data as that of GDPR and the lack of any redress mechanism that could allow individuals to legally challenge any wrongdoings or misuse of their data.
The EU-US draft adequacy decision by the EC will put most of these concerns to rest as the decision reaches a position conclusion regarding the data protection framework in the US following its evaluation of:
- the safeguards and limitations concerning access and processing of personal data in the US by public authorities; and
- whether the data protection measures in the US offer “essential equivalence” under Article 45 of the GDPR and as interpreted by the CJEU in the Schrems II case.
“Over the past months, we assessed the US legal framework provided by the Executive Order as regards the protection of personal data. We are now confident to move to the next step of the adoption procedure. Our analysis has shown that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic,“ said the Commissioner for Justice, Didier Reynders.
Executive Order (EO) 14086 played a significant role in enabling the EC to reach the draft adequacy decision concerning the validity of data transfer to the US. The new EO 14086 focused on modifying certain aspects of the US ‘Signal Intelligence’ activities that formed the basis of CJEU’s conclusion of invalidating the EU-US PS. Specifically, the new Executive Order now requires that:
- the signal intelligence activities of US intelligence services should only be conducted when they are “necessary and proportionate” (Sec. 2 (a)(ii)(B) of EO 14086); and
- a set of redress mechanisms needs to be established to enable foreigners in ‘qualifying states,’ as designated by the US Attorney General, to obtain redress in relation to legal violations concerning the collection, use, and processing of their personal data by the US intelligence agencies. Any filed complaints will be reviewed and resolved through a two-tier redress mechanism involving the Civil Liberties Protection Officer and the newly created Data Protection Review Court (Sec. 3 of EO 14086).
In addition to the foregoing, the EO 14086 also mandates that all signal intelligence activities should respect the civil liberties of all individuals, regardless of their nationality or place of residence.
For more information: Download Whitepaper: An Overview of the New Executive Order
What Are the Highlights of the EC Draft Adequacy Decision?
The draft adequacy decision offers a comprehensive set of terms and conditions for data controllers and processors involved in cross-border data transfer between the EU and the US.
The draft first defines personal data or personal information on the basis of the GDPR and the EU-US Data Privacy Framework (DPF) Principles, including the Supplemental Principles as issued by the US Department of Commerce (DoC) (collectively, the Principles), as any data about an “identified or identifiable individual” that falls within the scope of the GDPR, received by a US-based organization from the EU, and recorded in any form. Personal data also includes pseudonymized research data. Moreover, ‘processing’ is defined as any set of operations that are performed upon the transferred personal data, regardless of whether it is done in an automated fashion or not.
The decision also specifies that the protection provided under the EU-US DPF applies to any personal data transferred from the EU to organizations in the US. It is important to note here that the organizations discussed here are those that have self-certified their adherence to the Principles. However, there may be certain exceptions to this stipulation. For instance, any data that is collected for publication, broadcast, or other forms of public communication of journalistic material cannot be transferred on the basis of the EU-US DPF.
Annex I to the draft decision further clarifies that if an organization relies on the protections offered by the EU-US DPF in the context of employees' personal data that is transferred from the EU to the US, it must specify this when it self-certifies to the DoC, and adhere to the requirements set out in the Supplemental Principles on Self-Certification.
Apart from the aforementioned points, here are some additional highlights from the draft adequacy decision.
- Self-certification: An organization can rely on the EU-US DPF only when it self-certifies its compliance with the Principles. Furthermore, to enter the EU-US DPF, an organization must be subject to the investigatory and enforcement power of the Federal Trade Commission (FTC), the Department of Transportation (DoT), or any other relevant statutory authority that ensures the organization’s adherence to the Principles. Moreover, such an organization must publicly declare its commitment to comply with the Principles, disclose its privacy policies which should be in line with the Principles, and fully implement them. DPF organizations are required to recertify their adherence to the Principles annually.
- EU-US DPF Principles: The draft decision also comments on the EU-US DPF Principles, which organizations must follow when collecting, processing, retaining, or disclosing personal data. The draft decision categorizes the tenets developed from the Principles in the following themes: purpose limitation and choice for individuals to opt-out if their data is disclosed to a third party or used for a new purpose that is materially different but still compatible with the original purpose, provision of specific safeguards for the processing of sensitive personal data, data accuracy, transparent collection and processing of personal data, fulfillment of data privacy rights of the individuals, data minimization, data security, accountability, and restrictions on the onward transfer of data to a third jurisdiction. These principles are further discussed in detail later in this article.
In the event of non-compliance, the DoC will require the organization to fill out a questionnaire. If the organization fails to fill out the questionnaire in a timely and satisfactory manner, the DoC will forward the case to the FTC or DoT. In case of continuous non-compliance with the Principles, the relevant organization will be removed from the EU-US DPF List and be required to delete or return all the collected personal data under the EU-US DPF.
- Enforcement: Section 2.3.4 of the adequacy decision and Annex IV to the decision shed light on the enforcement authorities that are responsible for ensuring the implementation of the Principles. The draft decision specifies that the EU-US DPF will be administered and monitored by the DoC. Further, EU-US DPF organizations will be subject to the investigatory and enforcement powers of the FTC and the DoT. The FTC will be authorized to investigate the EU-US DPF-listed organizations and their adherence to the Principles. Moreover, the statutory body can seek federal or administrative court orders to enforce compliance, and it may even seek civil penalties in case of non-compliance.
Redress Mechanisms: One of the critical reasons that the EU-US PS failed to hold its ground in the Schrems II case was the lack of any independent redress mechanism. The provision of effective redress mechanisms against any legal violations or rights infringement is one of the most important parts of the EU data protection framework. Articles 77, 78, and 79 of the GDPR provide individuals the right to receive redress for the violations of their rights and freedoms and specify the conditions for lodging a case and the applicable jurisdictions of courts. Thankfully, the EO 14086 now provides a comprehensive redress mechanism that is further attested in the draft adequacy decision.
Under the EU-US DPF, concerned individuals can file complaints regarding any misuse of their personal data by any EU-US DPF-certified organization in the US. An independent recourse mechanism will be available for such individuals to forward their complaint and have it investigated and remediated expeditiously without any cost incurred. Individuals can take their complaints directly before the FTC or DoC, to the organization itself, to an independent dispute resolution entity, or to a national data protection authority in the EU.
It is important to note that individuals can leverage any recourse mechanism and any sequence of action for it as they deem necessary. In the event the foregoing recourse avenues fail to resolve an individual’s complaint, such an individual can invoke binding arbitration upon fulfilling the pre-arbitration requirements in accordance with the ‘Arbitral Model’ attached to the draft decision.
What Principles Have Been Introduced Under EU-US DPF?
The draft adequacy decision lists the following Principles which must be adhered to by the US controllers and processors under the EU-US DPF. Let’s take a quick look at the safeguards mentioned in the Principles.
Similar to Articles 12, 13, and 14 of the GDPR as well as recital 58, transparency is one of the core elements of the EU-US DPF Principles. An EU-US DPF certified organization must provide a notice to the data subjects about, amongst other things, its inclusion in the EU-US DPF, its adherence to the Principles, the types of personal data collected, the purposes of the processing, the identity of the third parties to whom the data is disclosed, mechanism of contacting the organization, rights of the data subjects, and the available recourse mechanisms.
The notice should be provided in a “clear and conspicuous language” when individuals’ information is collected or as soon thereafter as is practicable, but in any event, before the organization uses such information for a purpose other than that for which it was originally collected or processed, or discloses it for the first time to a third party.
The Choice Principle requires organizations to provide individuals with the right to object (opt-out) to the disclosure of their personal data to third parties (with the exception of entities acting as processors). Furthermore, individuals can further object to the use of their personal data for purposes materially different from the purpose for which the data was originally collected or subsequently authorized by the individuals. Moreover, individuals’ affirmative express consent (opt-in) must be obtained before the disclosure or use of their data for another purpose. Also, an organization should treat any such information from a third party as sensitive if the third party identifies and treats it as sensitive.
Data Integrity and Purpose Limitation
This Principle requires organizations to limit the processing of personal data to what is specific to the purpose of processing. An organization may not process personal data for any purpose that is incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
The EU-US DPF Principles give EU data subjects the right to request access to their personal data, the right to obtain rectification or correction of incorrect or inaccurate data, and the right to deletion of data that is not in compliance with the Principles. Similarly, in cases where the data is used for direct marketing purposes, individuals have the right to opt-out of such processing at any time.
Data Minimization & Accuracy
Subject to the specified exceptions, this Principle requires organizations to limit the storage and processing of personal data of individuals to the extent necessary for the purpose it was intended. To that extent, organizations are further obligated to take the necessary measures to ensure that the data collected is accurate, updated, complete, and reliable for its intended use.
Data Security & Accountability
Similar to Article 32 of the GDPR, the Security Principle requires organizations to take appropriate technical and organizational measures for the protection of personal data while taking into account the nature, scope, and risk of processing. The Principles require that the data must be protected against misuse, loss, unauthorized access, disclosure, alteration, and destruction.
Organizations are further required to establish a self-assessment process to periodically assess their compliance with the Principles, which must include internal procedures that ensure employee training on the implementation of the organization’s privacy policies. Organizations’ compliance with the Principles should be periodically reviewed in an objective manner or through outside compliance reviews. Organizations must also maintain records of such activities so that they may produce them during an investigation or in response to a complaint.
Restrictions on Onward Transfers
The Principles set clear guidelines for organizations in the US that receive data from an EU organization but are required to transfer the data onward to another recipient in the US or any other third country. The draft provides certain limitations for onward transfers of personal data received from the EU, such as the data needs to be used for limited and specific purposes. Moreover, there needs to be a contract with the third party for further transfers. Onward transfers to organizations in the US, or any third country is only possible if the receiving country offers the same level of protection as is required by the Principles.
Recourse, Enforcement and Liability
The mechanisms for effective privacy protection include readily available independent recourse mechanisms, procedures for verifying any attestations and assertions made by an organization, and obligations to remedy problems arising from failure to comply with the Principles through organizations announcing their compliance with them and facing serious consequences for non-compliance. Moreover, organizations and their selected independent recourse mechanisms should promptly respond to inquiries and requests posed by the DoC in relation to the EU-US DPF.
Organizations are also obligated to arbitrate claims in accordance with the specified legal framework in the draft decision and publicly make available relevant sections of any compliance or assessment reports submitted to a judicial or statutory body in relation to the EU-US DPF, taking into consideration the applicable confidentiality requirements. Furthermore, organizations shall remain liable for any incompatible processing activities performed by their processors.
Do Businesses Still Have to Conduct TIAs and Sign SCCs Under the New EU-US DPF?
The EU allows cross-border data transfer if the receiving country meets the requirements of Article 45 of the GDPR, i.e., the country meets or ensures an “adequate level of protection.” The legally binding instruments, binding corporate rules (BCRs), standard contractual clauses (SCCs), or transfer impact assessments (TIAs) are all required in the absence of a decision pursuant to Article 45. If the data adequacy decision is finalized, it will mean that the EC acknowledges that the EU-US DPF provides an adequate level of protection. This will mean that businesses will only need to become EU-US DPF-certified organizations for cross-border data transfers between the US and the EU and need not rely on TIAs or SCCs.
Can We Expect a Schrems III?
Yes, the draft adequacy decision or its adoption can still be challenged before the CJEU. After all, the NOYB (European Center for Digital Rights), headed by the Austrian privacy campaigner Max Schrems, still seems to be skeptical about the new Executive Order, quoting that the EO 14086 “oversells and underperforms when it comes to the protection of non-US persons.” Moreover, Max Schrems has stated that as the draft decision is based on the EO 14086, he can't see the decision surviving a challenge before the CJEU.
However, the EU Justice Commissioner, Didier Reynders, gave the draft adequacy decision a “seven out of eight chance” of taking such a legal challenge head-on. Didier further responded, “please test the system before you say it's inefficient.”
The draft adequacy decision has now entered the approval phase, where it has been presented before the European Data Protection Board. The EC will further seek approval from a committee composed of the EU member states. In addition, the European Parliament also has a right to scrutiny over the adequacy decision. The finalization process usually takes six to seven months. That being said, it is expected that the final adequacy decision will be adopted by mid-2023.
As the draft adequacy decision is still in the approval process, businesses in the US need to rely on the framework specified in the GDPR for cross-border data transfers.