On July 10, 2023, the European Commission adopted its long-awaited adequacy decision for the EU-U.S. Data Privacy Framework (“Adequacy Decision”). This ends a three-year journey to set up a successor to the EU-U.S. Privacy Shield mechanism, which the Court of Justice of the European Union (“CJEU”) deemed invalid on July 16, 2020. U.S. President Joe Biden welcomed the Adequacy Decision, stating that it “will provide greater data privacy protections and economic opportunities.”
The Adequacy Decision concludes that the U.S. provides for an adequate level of protection under the EU’s General Data Protection Regulation (“GDPR”) when personal data of individuals in the European Economic Area (“EEA”) is transferred to U.S. companies certified under the new EU-U.S. Data Privacy Framework.
Along with the Adequacy Decision, the European Commission published a fact sheet and a Q&A document.
Background: Changes in U.S. Law
The Adequacy Decision follows certain changes in U.S. law, in particular Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”) dated October 7, 2022. The Executive Order and accompanying regulations:
- provide additional safeguards to ensure that U.S. signals intelligence activities are necessary and proportionate to the pursuit of defined national security objectives;
- enhance rigorous oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities; and
- create a new independent redress mechanism for complaints about access to data by U.S. national security authorities with binding authority to direct remedial measures. This new independent redress mechanism set up by the U.S. government has two levels and aims at investigating and resolving complaints from any individual whose data has been transferred from the EEA about the collection and use of their data by U.S. intelligence agencies access to their data by U.S. national security authorities. At a first level, complaints are investigated by the Civil Liberties Protection Officer of the U.S. intelligence community. At the second level, individuals can appeal the decision of the Civil Liberties Protection Officer before the newly established Data Protection Review Court (“DPRC”).
The U.S. Attorney General also allowed access to the redress mechanism in Section 3 of Executive Order 14086 by designating the EU and Iceland, Liechtenstein and Norway as “Qualifying States,” following an analysis of the legal protections for U.S. data in these countries.
The EU-U.S. Data Privacy Framework is administered by the U.S. Department of Commerce and enforced by the U.S. Federal Trade Commission.
Certification of companies in the U.S. under the EU-U.S. Data Privacy Framework
The Adequacy Decision directly addresses transfers from the EU to recipients in the U.S. who have self-certified under the EU-U.S. Data Privacy Framework. Companies will have to agree to comply with a detailed set of privacy principles (“DPF Principles”) such as purpose limitation, data minimization and data retention, as well as specific commitments on data security and sharing with third parties. The Adequacy Decision provides that the DPF Principles apply immediately on certification. Participating organizations are required to recertify their adherence to the DPF Principles on an annual basis.
This certification process can be started immediately, as soon as the framework’s website at www.dataprivacyframework.gov is fully operational.
Companies currently registered under the former EU-U.S. Privacy Shield framework are likely to be transferred more or less automatically to the EU-U.S. Data Privacy Framework, although updates to privacy policies and other documents referencing the EU-U.S. Privacy Shield framework should be made in the next three months, but additional details on implementation have not been announced yet.
Indirect effects of the Adequacy Decision on other GDPR transfer mechanisms
According to a Q&A document published by the European Commission on July 10, 2023, all the safeguards implemented under Executive Order 14086 apply to all data transfers from the EEA to companies in the U.S., regardless of the transfer mechanism relied upon in each case. Therefore, these safeguards also facilitate using other tools, such as the Standard Contractual Clauses and Binding Corporate Rules.
In practice, the general obligation to carry out a transfer impact assessment (“TIA”) under the Standard Contractual Clauses will remain, but there should not be any doubt regarding the overall result of the assessment in light of the Adequacy Decision.
Upcoming legal challenges of the Adequacy Decision before the CJEU
It is widely expected that the Adequacy Decision will be challenged in court. Austrian activist Max Schrems, founder of the privacy organization noyb, has already announced such a challenge, aiming at invalidating the new transfer mechanism. There could be a “Schrems III” judgment by the CJEU following Schrems I (regarding Safe Harbor) and Schrems II (regarding the EU-U.S. Privacy Shield).
The European Commission is confident that the Adequacy Decision will survive a legal challenge. A member of EU Justice Chief Didier Reynders’ cabinet recently said that the European Commission is convinced that “this arrangement is stable and meets the requirements of our European Court of Justice.” In the press release on the Adequacy Decision, EU Justice Commissioner Reynders explained that “[the Commission] is very confident to try to, not only implement such an agreement, but also to defend [it] in all procedures that [it will] have to face.”
The Adequacy Decision in practice will be subject to regular review. To this end, the European Commission will continuously monitor developments in the U.S. to verify that all relevant elements have been fully implemented in the U.S. legal framework and are working effectively. In the event of developments affecting the “adequacy” of the level of protection in the U.S., the Adequacy Decision may be adapted or even withdrawn by the European Commission. The first periodic review will take place within one year of the entry into force of the Adequacy Decision.
For the time being, companies finally have a robust legal basis for transferring data from the EEA to the U.S. It remains to be seen whether the Adequacy Decision will be invalidated by the CJEU in another potential Schrems III decision.