One Step Closer to the new EU-US Data Privacy Framework

Two and a half years after the Schrems II decision invalidated the EU-US Privacy Shield, the EU and US are inching closer to a replacement data transfer mechanism for EU to US personal data transfers. On 13 December 2022, the European Commission announced that it had launched the adequacy decision approval process for the EU-US Data Privacy Framework (the “Framework”).

Features of the Framework

The start of the adequacy adoption process follows US President Biden signing an Executive Order on 7 October 2022 (discussed here). The Executive Order established: (i) legally binding safeguards to help address the concerns identified by the Court of Justice of the European Union (CJEU) in Schrems II, and (ii) a Data Protection Review Court to protect individuals’ rights of redress.

The Framework comprises a set of privacy principles, which the draft adequacy decision approves as offering protection to EU citizens’ personal data that is ‘essentially equivalent’ to that which is received under the EU GDPR. 

Key to tackling the perceived deficiencies in the former Privacy Shield are the new limits on access to EU personal data by US intelligence authorities and the redress mechanism set out in the Framework.  The redress mechanism allows EU individuals to make a complaint to the Civil Liberties Protection Officer, who oversees compliance by US intelligence agencies with privacy and fundamental rights. Decisions of this officer can be appealed in the new US Data Protection Review Court (which is composed of members who are not US government employees).  The court is empowered to investigate complaints and take binding remedial decisions (which would include deletion of data), and will be assisted by a special advocate. 

Individuals can also (i) complain directly to the organisation handling their data; (ii) make a complaint to an EU-based data protection authority, the Federal Trade Commission or Department of Commerce; or (iii) issue arbitration proceedings in the US against specific organisations. Arbitrations are conducted by the EU-US Data Privacy Framework Panel. This is a binding arbitration option, where the panel has the ability to impose individual-specific, non-monetary equitable relief where necessary to remedy the violation of the Framework principles with respect to a particular individual. 

It should also be noted that the new safeguards introduced by the US in relation to national security (including the all-important redress mechanism for data subjects) are available in respect of all data transfers, whether or not they take place under the Framework or not.   

The path towards adoption (and what organisations must do to comply)

The EU’s draft adequacy decision confirms the European Commission’s view that transfers to US organisations participating in the Framework will achieve the required adequate level of protection for personal data transferred from the EU to a third country. The EDPB will now give its opinion on the adequacy decision, before the committee of Member State representatives approves it. The European Parliament also has a right of scrutiny over the decision. 

Once the adequacy decision is issued, EU companies will be able to transfer personal data freely to US companies certified by the Department of Commerce under the Framework. Certification will require participating US companies to commit to comply with a detailed set of privacy obligations (such as purpose limitation, data retention and sharing with third parties) and be subject to the investigatory and enforcement powers of the Federal Trade Commission or the US Department of Transportation.  Relevant organisations will need to re-certify their adherence to the privacy principles annually.  

The status of the UK-US adequacy decision

Following the publication of the October Executive Order, the UK government announced its intention to review the US’ enhanced safeguards and redress mechanism and make preparations for the laying of adequacy regulations before Parliament in early 2023. The adequacy regulations must be laid before Parliament for 40 days, after which they will enter into force unless challenged (which appears unlikely). The shorter adequacy process in the UK may ultimately mean that the UK is in a position to issue its own US adequacy decision ahead of the EU’s formal adoption of the Framework.   

What’s next?

It remains to be seen whether significant numbers of US organisations will decide to participate in the Framework (or the potential UK version) and if so, over what timeframe. Factors such as the relatively short life of the preceding Privacy Shield, and the scepticism expressed about the Framework by some, including Max Schrems will need to be weighed in the balance.  Mr Schrems’ comments indicate he considers that a legal challenge to the validity of the Framework would succeed; however, the outcome of any such future challenge cannot be predicted with certainty. Companies should therefore begin to consider the potential commercial benefits that may be offered by participating in an updated Privacy Shield program and determine whether they are in a position to meet the detailed obligations set out by the Framework.   

Even though the Framework is a significant step closer, like Santa, it has not yet arrived! In the meantime, organisations should therefore continue to work towards implementing or updating their current cross-border transfer solution, particularly the transition to the EU Standard Contractual Clauses, as the December 27, 2022 deadline for that change is almost upon us.