In a significant move toward replacing the invalidated Privacy Shield, the European Commission (EC) released a draft Adequacy Decision on December 13, 2022, concluding that the U.S. legal framework provides an adequate level of protection for personal data transferred from the EU to U.S. companies that have been certified under a new EU-U.S. Data Privacy Framework (the DPF). This announcement follows the issuance of President Biden's Executive Order 14086 on October 7, 2022, "Enhancing Safeguards For United States Signals Intelligence Activities" (EO 14086), which established additional safeguards and oversight for U.S. signals intelligence activities (for background and analysis of that Executive Order, see our blog post here).
With the publication of this Adequacy Decision, the EC has determined that the deficiencies identified by the Court of Justice of the European Union (CJEU) in its 2020 Schrems II decision that invalidated the EU-U.S. Privacy Shield framework have been adequately remedied by EO 14086. Looking ahead, the Adequacy Decision will now be reviewed by the European Data Protection Board, a committee of representatives from EU member states, and the European Parliament. Once that review process is complete, the EC can proceed with adopting a final Adequacy Decision, likely not before spring 2023.
The draft Adequacy Decision also includes for the first time the principles that companies will be required to adhere to in order to become certified under the DPF. Although companies previously certified under the Privacy Shield will need to become certified under the DPF, the principles are substantively the same for both mechanisms, so the operational challenges of becoming (re)certified should be minimal. We discussed the practicalities of enrolling in the Privacy Shield here.
As the Adequacy Decision makes its way through the final approval process, companies that would like to become certified should review the required commitments under the DPF Principles and consider submitting a self-certification to the Department of Commerce.
Once a final decision has been adopted, the looming question is whether the decision will withstand legal challenges, expected to come from the Austrian privacy activist, Max Schrems, who said he might challenge any adequacy decision based on EO 14086 with his pressure group "None of Your Business." NOYB issued a statement quoting Schrems as saying he "can't see how [the Adequacy Decision] would survive a challenge before the Court of Justice."
Terms of the Decision
In its draft Adequacy Decision, the EC first detailed the various commitments U.S. companies must adhere to in order to become certified under the DPF. The full list of the Principles of Certification can be found in Annex I of the draft Adequacy Decision. For further detail and analysis of these principles, see our discussion of the substantively similar Privacy Shield principles in our blog post here.
The EC then engaged in an expansive review of the various mechanisms available to law enforcement and other government agencies to access personal data. While the analysis was thorough, the most likely sticking points in an eventual CJEU review will be the issues the court noted in its Schrems II decision; namely, that the intelligence collection activities authorized by FISA 702 and EO 12333 (1) were not limited to what was "necessary and proportionate" to advance a legitimate objective, and (2) did not establish an effective redress mechanism for impacted EU residents.
After detailing the additional safeguards of EO 14086, the EC concluded "that any interference … by U.S. public authorities with the fundamental rights of the individuals whose personal data are transferred from the Union to the United States under the EU-U.S. Data Privacy Framework, will be limited to what is strictly necessary to achieve the legitimate objective in question" and "limited to what is necessary and proportionate to advance a legitimate objective." The EC also found that the new redress mechanisms established under EO 14086 and U.S. law "enable infringements of the data protection rules to be identified and punished in practice and offer legal remedies to the data subject to obtain access to personal data relating to him/her and, eventually, the rectification or erasure of such data."
The EC also specifically addressed the issue of bulk data collection, which was a significant factor in the CJEU's Schrems II decision. The EC stated that bulk collection by U.S. authorities can "only apply to data collection that takes place outside the United States, on the basis of EO 12333," and noted that bulk collection is only permitted when necessary information cannot reasonably be obtained through targeted collection, that EO 14086 only allows for bulk collection for six enumerated purposes, and that the EO also places limitations on the collection and use of data obtained through bulk collection.
Importantly, the EC noted that entry into force of the Adequacy Decision "is conditional upon the adoption of updated policies and procedures to implement EO 14086 by all U.S. intelligence agencies and the designation of the [EU] as a qualifying organization for the purpose of the redress mechanism." EO 14086 requires the relevant national security agencies to update their internal operating policies to comply with the EO and instructs the Attorney General to designate states or organizations whose residents are permitted to engage in the newly created redress mechanisms. These updates and designations have not yet been completed but will likely need to be prior to the finalization of the Adequacy Decision.
For the time being, companies engaged in international data transfers from the EU to the U.S. should continue relying on Standard Contractual Clauses (SCCs) as the most appropriate transfer mechanism. However, the EC's draft Adequacy Decision should provide additional support for the position that U.S. law provides essentially equivalent protections for personal data as EU law when conducting transfer impact assessments and, therefore, that supplemental measures such as encryption are not required for international transfers to the U.S. using the SCCs.
DWT's Privacy and Security team regularly advises clients regarding international data transfers and will continue to closely monitor developments with the new Framework.