The end of 2022 saw no let-up in data protection developments. On 13 December, the European Commission issued a draft adequacy decision in respect of the new EU-US Data Privacy Framework (US DPF). The US DPF establishes a legal framework under which personal data can be transferred from the EU to the US. If the decision is adopted, this will foster smoother trans-Atlantic data flows and enable personal data to be transferred from the EU to US organisations which are certified under the US DPF.
Under the EU’s GDPR regime, any transfers of personal data from the EU to countries outside the European Economic Area (EEA) need to ensure that the third country to which the personal data is transferred has adequate levels of data protection. In practice, this requires either an adequacy decision or another appropriate safeguard. Previously, personal data was able to flow from the EU to the US under the Privacy Shield. However, this regime was invalidated by the Court of Justice of the European Union in its Schrems II decision of July 2020 and, as a consequence, the flow of personal data from the EU to the US has been significantly impeded.
Why is this significant?
Since July 2020 the US and EU have been working on developing a new framework. The proposed US DPF is based on similar principles to the Privacy Shield, however it tries to address the shortcomings raised in the Schrems II decision, thereby aligning the personal data protection regime in the US more closely with that of the EU. Two points of particular concern in the Schrems II decision were (i) the US public authorities’ access to and use of personal data for criminal law enforcement and national security purposes and (ii) the lack of effective redress that EU citizens would have if their personal data was mishandled. The US DPF would impose new limitations and safeguards on access to data by US intelligence agencies, and also incorporate a new independent and impartial redress mechanism for EU citizens if their personal data is handled in a way that does not comply with the framework. In addition, the US DPF would also incorporate further protections enshrined in the GDPR, such as the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and a requirement to offer individuals the opportunity to opt out of the disclosure of their personal data to a third party.
Therefore, while the regime in the US is still not as comprehensive as that in the EU under the GDPR, this draft adequacy decision is significant as it concludes that the US framework provides comparable standards to those in the EU. The European Commissioner for Justice, Didier Reynders, has stated that “our analysis has showed that strong safeguards are now in place in the US to allow the safe transfers of personal data between the two sides of the Atlantic…the future framework will help protect the citizen’s privacy, while providing legal certainty for businesses.”
How will this work in practice?
The US DPF is based on a self-certification regime – US organisations will be permitted to join the US DPF if they commit to complying with the obligations in the US DPF. This is similar to the Privacy Shield and its predecessor (the Safe Harbour) which were also self-certification regimes. Even if the adequacy decision is adopted, an EU company will need to check that the organisation they are transferring personal data to is US DPF certified.
Process to follow
While this draft adequacy decision is undoubtedly a step towards more seamless trans-Atlantic data flows, there are still a number of hurdles to overcome. As a result, this cannot currently be used as a basis to transfer personal data from the EU to the US.
Perhaps the most significant of these hurdles is that Max Schrems, the privacy activist behind the Schrems II decision which invalidated the Privacy Shield, has indicated a potential Schrems III challenge to this decision. He has cited a range of concerns, including around the language of necessity and proportionality and the legitimacy of the US Department of Justice’s Data Protection Review Court.
Even if the decision is not subject to a Schrems-style challenge, there are still bureaucratic steps that need to be taken within the EU before the decision can take effect. In the first instance, the draft adequacy decision will be sent to the European Data Protection Board for its opinion. The European Commission will thereafter be required to seek approval from a committee composed of representatives of EU Member States, and also give the European Parliament the opportunity to scrutinise the decision. The European Commission’s adoption of a final adequacy decision is expected around the middle of 2023 and in the meantime, any trans-Atlantic data transfers will need to be made under an existing safeguard. Furthermore, the European Commission, together with European Data Protection Authorities and the competent US authorities, will need to conduct periodic reviews of the framework – the first of which will take place within one year of the adequacy decision coming into force.
Impact on the UK
This draft adequacy decision is relevant for personal data being transferred from the EU to the US, but it will not provide a legal basis for UK-US data flows. However, the UK will be following developments closely because, if the adequacy decision is adopted, the UK will almost certainly seek to follow a similar framework for UK-US transfers. Ministers have indicated that an adequate UK-US data transfer mechanism will be of utmost importance to the UK economy.
In light of the draft adequacy decision for the US data privacy framework, UK businesses may also be able to breathe a slight sigh of relief as it appears that the risk of the UK losing its own adequacy status granted by the EU will be significantly reduced if the EU continues to apply similar criteria.
Let’s hope that 2023 is the year that personal data is permitted to flow more seamlessly across the Atlantic to the US – both from the EU and the UK.