Last December, the European Commission (EC) published a draft adequacy decision on the EU-US Data Privacy Framework (DPF). This is the beginning of a new chapter to the Schrems Saga, which already has two chapters in the form of Schrems I and Schrems II decisions of the Court of Justice of the European Union (CJEU). Max Schrems already announced, on 7 October 2022, that he will challenge the adequacy decision when it is finalised. In this regard, Didier Reynders, the European Commissioner for Justice, mentioned that the draft adequacy decision might have a “seven or eight out of 10 chance” to be upheld in case of a legal challenge.
This article aims to explain, from a practical point of view, the draft adequacy decision issued by the EC. In achieving the above, the article will trace the developments that led to the draft adequacy decision. It will then dictate the list of elements that the EC and the European Data Protection Board (EDPB) take into consideration while issuing an adequacy decision to any third country. Subsequently, the article will draw parallels to the observations made in Schrems II decision and how they have been dealt with in the DPF. Based on the above the article will assess the persisting qualms and also provide recommendations to organisations intending on undertaking international data transfers to the US.
Timeline and Elements of Adequacy Decision:
The timeline of the developments that led to the draft adequacy decision is as follows:
Throughout the above timeline, the CJEU, the EC, and the EDPB have assessed the various mechanisms of data transfers based on certain key elements. The list of elements published as early as 28 November 2017 by the Article 29 Working Party comprises the following elements:
Therefore, the DPF must satisfy the above elements to withstand a legal challenge. The EC, in its draft decision, has also emphasised the point that the objective of the General Data Protection Regulation (GDPR) is to encourage data transfers and not cause hindrances in the free flow of data. Therefore, in making the aforementioned specific observation, the EC also acknowledges that the level of protection may not be the same as that in the EU, but must be reasonably equivalent and based on comparable safeguards to the EU.
Privacy Shield agreement shortcomings:
The CJEU, while invalidating the Privacy Shield agreement, observed the following points:
As a consequence, the above observations led to the conclusion that the Privacy Shield did not afford equivalent levels of protection to EU citizens in the US compared to the GDPR and the Charter of Fundamental Rights of the European Union.
Actions taken by the US in view of Privacy Shield agreement shortcomings:
To counter the above observations, the DPF states the following:
- The US authorities that collect personal data in furtherance of national security concerns may only do so based on the following two considerations:
- The established procedures and legal basis provided in section 105 FISA, section 302 FISA, Section 402 FISA, Section 501 FISA and section 702 FISA, and in adherence to Executive Order 14086 passed on 07.10.2022
- Intelligence agencies are mandated to establish policies and procedures in consultation with various contributors1 by 7 October 2023. The policies and procedures established by Intelligence agencies must be based on the following points:
- necessity and proportionality principle
- Balance between need of intelligence vs the impact on privacy and civil liberties
- Basis of accessing personal data limited to specific objectives
- Access must not affect the free expression of ideas and opinions based on their ethnicity, race, gender, sexual orientation or religion
- Adopt a “targeted data collection approach as opposed to the previous “Bulk collection” approach
- The data subjects have also been provided with an enhanced two-step redressal mechanism:
- To bring up any claims before the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO)
- To appeal the decision passed by the authority above before the Data Protection Review Court2. The Court must pass a well-reasoned, written decision based on the evidence presented by the parties before it. The threshold of admissibility of a case before the DPRC is set low as data subjects may not need to demonstrate that their data has been in fact compromised by the Intelligence agencies
- The data subjects also have an opportunity to file a case against the US authorities with any of the Supervisory Authorities in the EU
The improvements mentioned above suggest that the DPF indeed resolves the concerns raised in the Schrems II decision. However, the DPF is not an entirely novel solution. Like the Privacy Shield Agreement, companies will have to self-certify annually to a set of principles loosely similar to the principles enshrined in the GDPR. These certifications will be registered with the US Department of Commerce and the Federal Trade Commission. The US-based companies or organisations will have to certify, among others, that they:
Redressal Mechanism under draft DPF:
With respect to the redressal mechanism, the DPF is silent on the lock-in possibilities for the data subjects once they initiate a challenge related to processing of personal data. In practical terms, the DPF does not consider the possibility that a data subject may be foreclosed from approaching other forums of courts within the US because they have initiated proceedings before the CLPO. The above concern is further exasperated by the similarities between the Privacy Ombudsman position (Privacy Shield Agreement) and the CLPO (DPF).
Considering the above, it is apparent that substantial changes are to be implemented in US, arising from this the DPF are due in 2023. These changes will also play a significant role in any challenge that will be due to the DPF. The EC, in its DPF, is of the opinion that the changes proposed by the US are sufficient to satisfy the criteria mentioned by the Working Party Art. 29 in 2017. Therefore the EC, through its draft adequacy decision, finds that the DPF could afford adequate protection to the rights and freedoms of data subjects in the US.
However, there still are some loopholes in the form of the self-certification mechanisms and the redressal mechanisms under the DPF that can imply some complexity. In view of this, the EC has quoted an initial review of the decision after the first year and it is expected that subsequent review periods will be in scope after the first review. However, it is to be noted that the GDPR in Article 45(3) provides for a review of the adequacy decision every four years and thus the final decision would the subjected to the same.
While the draft decision has been published, it is essential to note that it is yet to be finalised. In view of this, our recommendations to those EU organisations contemplating data transfers to the US are:
Trilateral’s Data Governance and Cyber-Risk Team have significant experience helping our clients achieve compliance with the latest Data Protection and ePrivacy regulations. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, review your current systems and undertake the transfer impact assessment if your organisation is looking to rely on SCCs for transfers to third countries. Please get in touch with our advisors, who would be more than happy to help.