The Long-Awaited U.S. Adequacy Decision Has Been Issued By The European Commission

Last year in Spring I mentioned in my article, Will Spring Bring a New EU-U.S. Privacy Shield Agreement?, how the EU and the U.S. were working to bring about an easier way to transfer data across the Atlantic. It was stated by Sean Heather, senior vice president of regulatory affairs for the U.S. Chamber of Commerce: “I feel like we have a chance to see something maybe mid-spring, late spring, early summer.” Well spring came and went and so did summer, but last fall an Executive Order signed by President Biden moved the process one step closer to completion.

On July 10, 2023 the European Commission finally signed the much awaited adequacy decision for the U.S., stating that the United States ensure an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to U.S. companies who have been certified. President Ursula von der Leyen said: “The new EU-U.S. Data Privacy Framework will […] bring legal certainty to companies on both sides of the Atlantic.” However, many are still uncertain regarding the new framework and how it will stand up against scrutiny by the courts.

After the Schrems I case in 2015 invalidated the U.S.-EU Safe Harbor Framework and the Schrems II case in 2020 invalidated the EU-U.S. Privacy Shield it is understandable that companies are still weary with regard to the new U.S. adequacy decision. To see what makes the new framework different I will review four main aspects of the EU-U.S. Data Privacy Framework (DPF).

Company Responsibilities

Just as under the Privacy Shield, U.S. companies will have to self-certify that they are complying with specific principles regarding data privacy and renew this certification annually. The U.S. Department of Commerce stated:

„[…] the EU-U.S. DPF does not create new substantive obligations for participating organizations with regards to protecting EU personal data [compared to the EU‑U.S. Privacy Shield Framework]. The privacy principles […]remain substantively the same.”

At first look, this may seem strange, as the courts’ rules stated that the Privacy Shield was insufficient. However, the courts main focus was on the access to personal data by the U.S. government not the security measures implemented by companies themselves. Therefore, the first prong of the DPF has not changed from the old adequacy decision and companies may even convert their active EU-U.S. Privacy Shield Framework certification into a new certification under the DPF.

Avenues of Redress

Something that was missing under the EU-U.S. Privacy Shield Framework has been addressed under the new DPF. A new Data Protection Review Court has been established within the U.S. to investigate and hear complaints regarding access to personal data by the U.S. authorities. This new redress system has independent and binding authority to investigate and resolve complaints regarding access to personal data by U.S. national security authorities. Access to the court is a two-step process. First, a resident of the EEA reports a complaint to their local data protection authority who will then work with the European Data Protection Board (EDPB) to transmit the complaint to the United States. Here a Civil Liberties Protection Officer, responsible for ensuring compliance, of the U.S. intelligence agencies, with privacy and fundamental rights, will review the claim. If the decision made by the Civil Liberties Protection Officer is not favorable to the data subject, an appeal can be entered at the Data Protection Review Court.

Additional Safeguards

In addition to the new avenues of redress, on October 2022, President Biden signed an Executive Order creating additional safeguards for EEA citizens’ personal data. These include:

• Limited access to data by U.S. intelligence authorities, restricting access to that which is necessary and proportionate to protect national security;
• Oversight over the U.S. intelligence services to ensure compliance with limitations on surveillance activities.

This means that the basis, according to the Schrems cases, of denying an adequacy decision to the United States, has been rectified. Through this executive decision the U.S. government is attempting to create legally binding authority that restricts the ability of the intelligence agencies to access personal data to a level equivalent to that stated under the General Data Protection Regulation (GDPR).

Periodic Review

The final prong of the adequacy decision is based on the need to verify that the other three prongs are actually bringing about the desired result. The European Commission stated, on their website, that, “The first review will take place within a year of the entry into force of the adequacy decision, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.” This means that there is a check built into the framework to determine if the promises made by the U.S. government to strengthen the privacy of all individuals are actually in place and that they are working the way that the European Commission envisioned them to work.

These four elements bundled together in the EU-U.S. Data Privacy Framework should provide peace of mind to Europeans whose data is being transferred to the United States, but some say a Schrems III case is only a few months away.  Max Schrems, chair of noyb, commented:

„They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‚Privacy Shield‘ the latest deal is not based on material changes, but by political interests.“

Each controller transferring data from the EU to the U.S. will have to make their own decision with regard to how they move forward, whether they accept and rely on the adequacy decision or if they continue to implement the SCCs as a safeguard.