On 13 December 2022, the European Commission gave the green light to a new EU-US data transfer legal framework by publishing its draft decision on US adequacy for EU-US data transfers (“Draft Decision”).
If confirmed by EU institutions, the Draft Decision will pave the way for organisations to transfer personal data from the EU to the United States of America (US) under an alternative transfer mechanism to be known as the EU-US Data Privacy Framework (“DPF”).
The Draft Decision is a positive development for EU-US data transfers after a prolonged state of limitations on personal data transfers to the US since the invalidation of the EU-US Privacy Shield in the Schrems II Court of Justice decision in July 2020 (see our previous analysis here). While the Draft Decision potentially means a future US adequacy decision will be forthcoming in the near term, in the meantime organisations must continue to rely on other transfer mechanisms, such as the EU standard contractual clauses.
The DPF meets the standard of “essential Equivalence”
The Draft Decision confirms that the DPF meets the “essential equivalence” standard, as set down in the Schrems II decision. It is the first milestone towards the new DPF being approved as a transfer mechanism under the General Data Protection Regulation (GDPR), allowing for the free flow of personal data from the EU to the US where the ‘data importing’ US organisation is (re-)certified under the DPF.
In the Draft Decision, the European Commission makes it clear that “essential equivalence” does “not require finding an identical level of protection” in a third country, nor does it require “point-to-point replication” of the GDPR’s rules. Instead, the test for adequacy is: “whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection”.
The Draft Decision outlines that President Biden’s Executive Order (EO), and the Regulation on the Data Protection Review Court issued by the US Attorney General (AG Regulation) are the key components of the DPF resulting in a determination of “essential equivalence” for the US.
Key features of the Draft Decision
The key features are the Draft Decision are:
- Privacy principles: The DPF’s privacy principles (established by the US Department of Commerce) are the same as those of its predecessor, the EU-US Privacy Shield, but reflect aspects of the GDPR.
- (Re-) Certification for US organisations: US organisations will be able to avail of the DPF by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. It is also possible for US organisations that maintained their Privacy Shield certification to re-certify under the DPF.
- Necessity of any interference: In response to one of the issues identified by the Court in Schrems II, the European Commission has confirmed that based on the available information about the EO and AG Regulation, any interference in the public interest (i.e. national security purposes) by US public authorities with the fundamental rights of data subjects whose data are transferred to the US under the DPF, will be limited to what is strictly necessary to achieve the legitimate objective of that access.
- Monitoring mechanism: a monitoring mechanism whereby US authorities are required to inform the European Commission of material developments in the EO which impact on the DPF and any evolution in practices related to the processing of personal data under the DPF.
- Review mechanism: in applying Article 45(3) of the GDPR, the European Commission will review the adequacy finding to ensure essential equivalence still stands after one-year post implementation. Following this, periodic reviews will take place every four years. The review will be in the form of a public report submitted to the European Parliament and the Council.
Next steps: it is over to EU institutions
The Draft Decision will now be scrutinised by EU institutions for approval, as part of the European Commission’s comitology procedure. If approved, the Draft Decision will be confirmed in early 2023. The first EU institution that will review the Draft Decision is the European Data Protection Board, which will give a non-legally binding but influential opinion on the Draft Decision.
What should organisations do in the meantime?
While the Draft Decision is a welcome development, organisations must continue to rely on the GDPR’s other transfer mechanisms (such as the standard contractual clauses) until the Draft Decision is confirmed (or not approved) and the DPF is fully operational.
Contributed by Róisín Culligan