The European Commission today approved the long-awaited framework for data transfers to the United States.
What is the decision about?
Today's decision means that organisations subject to the GDPR can benefit from an adequacy decision for transfers to companies in the United States that certify their participation in the EU-US Data Privacy Framework ("DPF").
An adequacy decision from the European Commission facilitates the transfer of personal data from the EU to third countries. Subject to limited exceptions, the GDPR prohibits these transfers in the absence of adequate safeguards that ensure a comparable level of protection of personal data to that of the EU. The adoption of an adequacy decision in respect of a third country indicates that, in the opinion of the European Commission, that third country offers a level of protection for personal data that is aligned with the requirements of the GDPR, meaning that parties to a data transfer do not need to put in place additional safeguards to ensure that the transfer complies with the GDPR.
The EU Commission has found that data transferred to companies located in the United States which have joined the DPF is subject to a standard of protection which is essentially equivalent to that of the European Union.
Do only companies signed up to the DPF benefit from the decision?
While the decision of the EU Commission has only direct (beneficial) effect for those companies signed up to the DPF, the decision will likely also have a significant beneficial impact for all the companies relying on the Standard Contractual Clauses ("SCCs") issued by the EU Commission or the Binding Corporate Rules ("BCRs") approved by EU data protection supervisory authorities under the GDPR.
In its judgment in the Schrems II case, the European Court of Justice identified significant issues arising under U.S. laws that undermined the ability of parties transferring personal data to recipients in the United States to guarantee a data protection standard essentially equivalent to that in the European Union. In particular, the CJEU found the ability of the U.S. intelligence community to access data under Section 702 of the Foreign Intelligence Surveillance Act ("FISA 702") and Executive Order (EO) 12333 was potentially excessive and lacking appropriate oversight and legal redress.
Today's adequacy decision relies to a large extent on the changes to U.S. law implemented by Executive Order (EO) 14086. EO 14086 introduces new binding safeguards to limit access to data by U.S. intelligence authorities and establishes an independent and impartial redress mechanism to investigate and resolve complaints regarding access to data by U.S. national security authorities.
The adequacy decision confirms that, at least in the opinion of the European Commission, the measures put in place through EO 14086 are sufficient to address the concerns raised by the CJEU. As a result, it would be difficult for an EU data protection supervisory authority to argue that a transfer of personal data to a recipient in the United States on the basis of the SCCs or BCRs would not benefit from a sufficient level of data protection. Suspending a transfer or issuing a fine against a company relying on the SCCs or BCRs to transfer personal data to the United States would likely require a challenge to the Commission's adequacy finding itself.
Are Transfer Impact Assessments still required?
If companies cannot or do not want to rely (solely) on the DPF to transfer data to a company that has joined the DPF, they must continue to perform a Transfer Impact Assessment ("TIA") as required under the Schrems II ruling of the CJEU. However, as outlined above, it will be easier to justify a positive TIA as even the EU Commission finds the Executive Order (EO) 14086 as implemented into U.S. law to have sufficiently addressed the concerns raised by the CJEU.
Are Data Transfers to the United States now safe?
Companies relying on the DPF are not at risk of fines for data transfers to the United States for as long as the DPF adequacy decision is not lifted by the CJEU. All E.U data protection supervisory authorities are bound by the decision of the EU Commission under European law[1]. However, EU data protection supervisory authorities are required by law to challenge the decision pursuant to national member state law should they disagree with the EU Commission.
The DPF decision also shields companies relying on the DPF from damage claims initiated before national courts. National courts would have to call on the CJEU should they consider the adequacy decision by the EU Commission to be invalid.
Does the DPF solve the problem once and for all?
Likely not. The prospect of surveillance authorised under FISA 702 and Executive Order 12333 are long-standing concerns with transfers of personal data to recipients in the United States by organisations subject to the GDPR. Both were key issues raised in the Schrems I and Schrems II judgments that invalidated Safe Harbor and Privacy Shield respectively.
Although the DPF and EO 14086 mark a significant step forward, the DPF has been criticised by the European Data Protection Board and the European Parliament as not going far enough in addressing the underlying issue of bulk data collection by U.S. law enforcement authorities. Although the Executive Order refers to principles of "proportionality" and "necessity" that are familiar to EU law, their interpretation is still grounded in a different legal system. While the words themselves might be the same, the European Parliament's view was that their application in the United States will look very different to how these terms are applied in the EU. Combined with the fact that decisions by the new Data Protection Review Court would be classified and not public or available to the complainant, the view from the European Parliament and the European Data Protection Board seems to be that the measures adopted in the Framework would be effective on paper but, in reality, would pay little more than lip service to the concerns raised by the CJEU in the Schrems judgments.
As a result, a new challenge of the DPF decision is expected, and there is a clear risk that the decision might face the same fate as the Safe Harbor Framework in 2015 and the Privacy Shield in 2020.
Do companies in the United States have to sign up to the DPF?
U.S. companies on the receiving end of GDPR data transfers now have a genuine choice between continuing to rely on Standard Contractual Clauses and certifying to the new DPF. Companies already signed up to the Privacy Shield will likely be offered an easy transition to the DPF.
Should U.S. companies sign up to the new DPF?
There are certainly practical advantages to the DPF over relying on SCCs; however, the DPF is not simply a replacement for the SCCs, and there may be valid reasons for parties to continue using SCCs rather than relying solely on the DPF:
Next steps
Four years before the CJEU invalidated Privacy Shield, the European Data Protection Supervisor stated that "the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the Court".[2] In several years' time, it is possible that we could be viewing the criticism of the DPF mentioned above by various European bodies as a similar moment of dramatic irony.
It should also be taken into account that the CJEU invalidated the EU-U.S. Privacy Shield Framework with immediate effect and did not provide companies with any grace period to switch to an alternative transfer mechanism.
In light of this legal uncertainty, companies who are currently relying on the SCCs or BCRs are unlikely to move over entirely to the DPF and overhaul their existing contractual commitments.
However, as set out above, the DPF can provide certain benefits over the SCCs, particularly for companies in the United States that receive personal data from a large volume of clients in the EU and are looking to streamline their contracting process in the short term. Also where the efficiencies promised by the DPF outweigh the legal uncertainty, it may well be sensible to rely on the DPF by itself.