On December 13, 2022, the European Commission launched its process for the adoption of an adequacy decision on the EU-US Data Privacy Framework (EU-US DPF). President Joe Biden issued an Executive Order on the new EU-US DPF on October 7, 2022. which aims to provide for enhanced protection of personal information transferred between the US and the EU. The Executive Order followed an agreement in principle on the transfer framework which was announced in March 2022 by the President of the European Commission, Ursula von der Leyen, and marked the first formal step in adopting a new mechanism for transatlantic data flows.
The draft adequacy decision from the European Commission concludes that the legal framework in the US ensures an adequate level of protection for personal data transferred from the EU to US companies.
On February 28, 2023, the European Data Protection Board (EDPB) issued its opinion on the EU-US DPF. The EDPB’s opinion largely welcomed the improvements made by the framework, however it called upon the European Commission to ensure several areas of the framework are addressed – including subject rights and onwards transfers – before formally adopting the EU-US DPF.
EDPB Chair Andrea Jelinek said, “A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them.”
Since the invalidation of the EU-US Privacy Shield in 2020 as a result of the Schrems II case, organizations have had to navigate alternative measures to ensure that personal data being transferred from the EU to the US has adequate and essentially equivalent levels of protection. Importantly, the EU-US DPF includes a new, two-layer mechanism for individuals to seek redress, a factor that was critical in the CJEU’s Schrems II decision. While the European Commission’s draft adequacy decision for the EU-US DPF must still go through the formal adoption process, which includes review by the European Data Protection Board (EDPB) and approval from a committee composed of representatives of the EU Member States, it marks the next step towards more legal certainty for organizations that rely on moving data from the EU to the US.
What does the European Commission’s draft adequacy decision say?
The announcement made by the European Commission outlines that it has assessed the legal framework in the US, and concluded that personal data transferred from the EU to the US will be protected to an adequate level based on the new framework.
Following the draft adequacy decision being published, it was transmitted to the European Data Protection Board (EDPB) for its opinion.
What does the EDPB opinion on the EU-US DPF say?
The opinion issued by the EDPB welcomes the improvements made by the EU-US DPF such as the necessity and proportionality principles and new redress mechanisms for EU data subjects. However, the opinion also outlines several concerns held by the EDPB. These include:
- Exemptions to the right of access, including for publicly available information
- The absence of certain key definitions
- Lack of clarity regarding the application of processing principles to processors
- A lack of specific rules on automated decision-making and profiling
- Ensuring the level of data protection is not undermined by onward transfers
- The lack of a prior authorisation requirement by an independent authority for the collection of data in bulk
The EDPB calls for the European Commission to closely monitor the practical application of the principles of necessity and proportionality and the practical functioning of the redress mechanism for EU citizens.
What did the Executive Order include? And how does it affect the new framework?
The EU-US DPF aims to alleviate the concerns raised by the Schrems II decision by ensuring further safeguards for the personal data of EU citizens being transferred out of Europe. The Executive Order issued by President Biden on October 7, 2022, implemented several requirements for US signals intelligence activities that would align with the new framework. These included ensuring surveillance activities are only conducted where necessary and proportionate to advance valid intelligence priorities.
Additionally, the Executive Order included information on the handling of personal information collected by US signals intelligence activities and extends the responsibility for remediating non-compliance to legal, oversight, and compliance officials. As a result of the Executive Order, the US Intelligence Community will be required to update its policies and procedures to reflect these new safeguards.
In their decision on the Schrems II case, the CJEU highlighted the lack of access for EU data subjects to legal redress mechanisms in cases where their personal data was intercepted in US intelligence efforts. Subsequently, this is a key area of the EU-US DPF that the European Commission assessed. To alleviate concerns, the US Executive Order included the creation of a multi-layer redress mechanism for applicable individuals.
This mechanism can be used in cases where personal information that has been collected through US signals intelligence was collected or handled by the US in violation of applicable privacy laws, including the enhanced safeguards required by the EU-US DPF. The first layer of the redress mechanism provides the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) the power to conduct investigations into complaints to determine whether non-compliance with the EU-US DPF or other US laws has occurred.
The second layer of the review empowers the Attorney General to establish a Data Protection Review Court (DPRC) which will provide an independent review of the CLPO’s decision. The DPRC will be formed of Judges appointed from outside the US government that have relevant experience in data privacy and national security. The Attorney General today issued accompanying regulations on the establishment of the DPRC.
The CLPO will also be responsible for establishing an annual review of the Intelligence Community policies and procedures to ensure they align with the EU-US DPF.
How will this impact organizations’ data operations?
In the long term, the EU-US DPF aims to provide more legal certainty for organizations transferring personal data from the EU to the US and organizations can look forward to using a more streamlined transfer solution. It will also restore an “important, accessible, and affordable data transfer mechanism”, where the EU-US Privacy Shield once was but with enhanced protections for personal information and greater access to redress in cases of non-compliance.
Organizations looking to certify with the EU-US DPF will also need to consider new and additional items covered in Annex 1 of the draft adequacy decision. These include ensuring that your privacy program encompasses a broader scope of personal data, amending privacy notices to an EU level of transparency, and ensuring your vendor contracts include new provisions of the EU-US DPF.
In the short term, the announcement of progress on the EU-US DPF will address the concerns of EU citizens in the fallout from the Schrems II case. However, the adoption of an adequacy decision made by the European Commission is not expected until July 2023. In a statement, European Commissioner for Justice Didier Reynders said, “before next summer it must be possible to go to the end of the process […] It means we will maybe have a decision before July of next year.”
For now, organizations should consider that while the EU-US DPF may remove the need to conduct a Transfer Impact Assessment (TIA) in the case of transfers to the US, transfers from the EU to other third countries will still need to be assessed. Therefore, ensuring that your data map is up to date with current activities and vendors is essential to remain compliant with the GDPR.
What happens next?
The European Commission’s draft adequacy decision must now make its way through the formal adoption process. Aside from the EDPB’s opinion, representatives of each EU Member State will also need to assess and approve the Commission’s decision.
As part of and final EU adequacy decision, the EU-US DPF will be reviewed periodically to ensure that its protections continue to maintain a standard essentially equivalent to that found in the EU. The first review will take place one year after the formal adoption of the adequacy decision.
Once an adequacy decision is adopted by the Commission, businesses based in the EU will be able to transfer personal data to participating companies in the US, should they decide to rely on the EU-US DPF and therefore comply with its requirements, without the need for additional data protection safeguards such as Standard Contractual Clauses (SCCs).
Take a look at OneTrust’s range of solutions for dealing with data transfers to third countries, including visualization of international data flows, access to vendor transparency reports, and pre-filled TIAs from the OneTrust platform.
