LawFlash

European Commission Releases Draft Adequacy Decision for US Personal Data Transfers

December 15, 2022

The European Commission recently released a draft adequacy decision for the European Union and United States Transatlantic Data Privacy Framework (TDPF). If the decision is finalized, data transfers between the European Union and United States by TDPF-participating organizations will be substantially eased.

This draft decision’s public release on December 13 comes two months after President Biden issued Executive Order 14086 (EO 14086) concerning the enhancement of privacy safeguards for US signals intelligence activities. EO 14086 was designed to address the concerns over US intelligence activities raised by the European Court of Justice’s Schrems II decision.

The draft decision includes an annex with relevant materials supporting the Commission’s adequacy analysis. The Commission emphasizes that EU data protection level standards (primarily implemented in the European Union through the EU General Data Protection Regulation 2016/679 (GDPR)) in the United States must be “adequate,” but not necessarily identical to the GDPR. In essence, its adequacy review focuses on the protection of fundamental rights and, particularly, risk to the privacy rights of individuals in the European Union:

“In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the Union, as long as they prove, in practice, effective for ensuring an adequate level of protection. The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test is whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection.” See Draft Adequacy decision for the EU-US Data Privacy Framework, European Commission, Dec. 13, 2022.

To address the primary concerns raised in Schrems II, the draft decision includes a detailed evaluation of the current state of the law in the United States following EO 14086. In particular, the Commission expressly found that there are sufficient “oversight mechanisms and redress avenues in US law” for any potential infringements of the privacy rights of data subjects. The Commission squarely addressed concerns over data collected for law enforcement and national security purposes in the United States and determined that such collections would be limited to “what is strictly necessary” for legitimate objectives and that effective legal protections exist against any abuses.

The TDPF principles are very similar to the GDPR principles and also require certified organizations to provide rights to opt out and rights of access to personal data to individuals, as well as a requirement to have data processing agreements with processors (even if they are not certified to the TDPF) for onward transfers. US organizations that already comply with GDPR requirements are likely to be able to implement these requirements in a fairly straightforward manner. Other organizations that have not yet needed to comply with GDPR level standards, but that wish to certify to the TDPF, are likely to have to review substantively their privacy compliance procedures and revise them to meet the enhanced requirements.

Importantly, the Commission noted that the “limitations, safeguards, and redress mechanism established by EO 14086” are key elements of its adequacy analysis, and therefore, the decision is contingent upon the actual implementation of policies and protections by the United States to carry out the European Union’s directives.

To that end, the Commission also indicated that it will actively monitor the “actual practices for the processing of personal data” in the United States as well as restrictions placed on law enforcement and intelligence agencies for accessing such data. It remains to be seen whether EO 14086 will be subject to court challenges once implemented or whether Congress will attempt to intervene.

On this basis, the Commission has determined in the draft decision that the United States is a jurisdiction with an adequate level of protection for personal data transferred from the European Union only when such personal data is transferred to certified organizations participating in the TDPF. This means that, if the decision is formally adopted, there will, once more, be a mechanism to transfer personal data to organizations that are certified by the Department of Commerce—a process similar to the transfers that were permitted under the EU-US Privacy Shield and EU-US Safe Harbor framework.

Although there is no mandated timetable for the review and adoption process, a final adequacy decision will likely be adopted by the Commission in spring 2023, but the final decision will be contingent upon the protections in EO 14086 becoming operational in the United States.

NEXT STEPS

In addition to requiring the full implementation of EO 14086, the draft decision must go through a thorough review process in the European Union before it becomes final.

In the following months, the draft decision will be reviewed by the European Data Protection Board (EDPB), which will render an opinion. After the EDPB review, the adequacy decision must be approved by a committee of European member states. The European Parliament also has a right to opine on the adequacy decision.

The UK will not be bound by the adequacy decision. Organizations transferring personal data from the EU and UK to the US should continue using the currently approved transferred mechanisms such as the UK 2021 Standard Contractual Clauses (SCCs). Crucially, organizations transferring personal data from the EU and UK are required to conduct risk assessments related to the surveillance concerns and implement relevant safeguards and security measures to mitigate against any identified risks to the privacy rights of individuals whose personal data is being transferred to the US. The draft decision does, however, indicate that the Commission views the US as having a legal framework that is consistent with providing an adequate level of protection, albeit for organizations certified to the TDPF.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: