Questions & Answers: EU-U.S. Data Privacy Framework, draft adequacy decision
On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
The draft adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to the US. This is based on an in-depth assessment of the Data Privacy Framework itself and its obligations for companies, as well as the limitations and safeguards on access by US public authorities to data transferred to the US, in particular for criminal law enforcement and national security purposes.
The proposal for a draft adequacy decision follows the signature of an Executive Order by President Biden on 7 October 2022. Along with the Regulation issued by the Attorney General, the Executive Order implemented into US law the agreement in principle on a new EU-U.S. Data Privacy Framework announced on March 2022 by President von der Leyen and President Biden. The Executive Order introduces new binding safeguards to address the concerns raised by the Court of Justice of the European Union in its Schrems II judgement. It imposes limitations and safeguards on access to data by US intelligence agencies, and establishes an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
-
-What is an adequacy decision?
An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries which, in the assessment of the Commission, offer a comparable level of protection of personal data to that of the European Union.
As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA) to a third country, without being subject to any further conditions or authorisations. In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data.
Once the adequacy decision is adopted, European entities will be able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.
US companies will be able to certify their participation in the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations (such as purpose limitation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties).
-
2.What are the criteria to assess adequacy?
Adequacy does not require the third country's data protection system to be identical to the one of the EU, but is based on the standard of ‘essential equivalence'. It involves a comprehensive assessment of a country's data protection framework, both of the protection applicable to personal data and of the available oversight and redress mechanisms.
The European data protection authorities have developed a list of elements that must be taken into account for this assessment, such as the existence of core data protection principles, individual rights, independent supervision and effective remedies.
-
-What are the limitations and safeguards regarding access to data by United States intelligence agencies?
An essential element of the US legal framework on which the draft adequacy decision is based concerns the Executive Order signed by President Biden on 7 October. The Order, as well as an accompanying Regulation, implemented the commitments made by the US in the agreement in principle announced in March by President von der Leyen and President Biden.
For Europeans whose personal data is transferred to the US, the Executive Order provides for:
-
-Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
-
-
-
-Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
-
-The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities;
-
The Executive Order requires US intelligence agencies to review their policies and procedures to implement these new safeguards.
-
-In what way is the new redress mechanism in the area of national security different from the previous Privacy Shield Ombudsperson?
The Executive Order, together with the accompanying Regulation, establishes a new two-layer redress mechanism, with independent and binding authority.
Under the first layer, EU individuals will be able to lodge a complaint with the so-called ‘Civil Liberties Protection Officer' of the US intelligence community. This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights.
Under the second level, individuals will have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court. The Court will be composed of members from outside the US Government, who are appointed on the basis of specific qualifications, can only be dismissed for cause (such as a criminal conviction, or being deemed mentally or physically unfit to perform their tasks) and cannot receive instructions from the government. The Data Protection Review Court will have powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and will be able to take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it will be able to order the deletion of the data.
To further enhance the Court's review, in each case, the Court will select a special advocate with relevant experience to support the Court, who will ensure that the complainant's interests are represented and that the Court is well-informed of the factual and legal aspects of the case. This will ensure that both sides are represented, and introduces important guarantees in terms of fair trial and due process.
These are significant improvements compared to the mechanism that existed under the Privacy Shield.
-
-What are the next steps in the process?
The draft adequacy decision was transmitted to the European Data Protection Board (EDPB) for its opinion.
Afterwards, the Commission will need to obtain the green light from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions.
Only after that, the European Commission can adopt the final adequacy decision, which would allow data to flow freely and safely between the EU and US companies certified by the Department of Commerce under the new framework.
-
-What are the options available to companies in the meantime?
It is important to remember that an adequacy decision is not the only tool for international transfers.
Model clauses, which companies can introduce in their commercial contracts, are the most used mechanism to transfer data from the EU. Last year, the Commission adopted modernised ‘Standard Contractual Clauses' to facilitate their use, including in light of the requirements set by the Court of justice in the Schrems II judgment. Practical guidance to companies relying on Standard Contractual Clauses for transferring data is also available.
All the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) will be available for all transfers to companies in the US under the GDPR, regardless of the transfer mechanisms used.
For more information