Impact of European Commission support for EU-U.S. Data Privacy Framework and next steps

Setting the scene

The DPF is the result of a nearly two-year negotiation between the EU and U.S. governments to replace the EU-U.S. Privacy Shield following its invalidation by the CJEU in July 2020. With its draft adequacy decision, the EC has reached its initial determination that companies certifying compliance to the DPF principles can provide European data subjects with a level of data protection that is “essentially equivalent” to that provided within the EU when their personal data is transferred to the U.S..

Chapter V of the General Data Protection Regulation (“GDPR”), as further interpreted by the CJEU, restricts transfers of personal data from the European Economic Area (“EEA”) to third countries unless the EC has determined that the laws in the third country, or specified sectors within the third country, ensure a level of data protection that is “essentially equivalent” to that provided within the EEA or similar protections are offered through enforceable transfer mechanisms (e.g., such as the EC’s standard contractual clauses, or Binding Corporate Rules).

The DPF is the third iteration of a trans-Atlantic framework for lawful data transfers. While the EC previously reached adequacy determinations for the EU-U.S. Safe Harbor and its successor, the EU-U.S. Privacy Shield, those determinations were set aside by the CJEU in its decisions in Schrems I and Schrems II (read our coverage here) over concerns that the EC had failed to adequately consider the scope of potential access to personal data by U.S. intelligence agencies and the perceived lack of redress for EU data subjects. In both cases, the CJEU found that potential for indiscriminate or “bulk” surveillance of EU data subjects whose personal data had been transferred to the U.S. was incompatible with EEA law.

U.S. law reforms

Alongside the ongoing trans-Atlantic work on the DPF, the White House on 7 October 2022 issued EO 14086, which adds a layer of safeguards on top of U.S. law authorizing signals intelligence that apply to EU citizens. EO 14086 established principles-based safeguards focused on the EU law concepts of necessity and proportionality that members of the U.S. intelligence community must consider before engaging in surveillance activities, and established a two-layer redress mechanism that individuals can use to challenge alleged violations of these principles. EO 14086 has ushered in a significant shift in the authority U.S. intelligence agencies may use to surveil European data subjects compared to the legal landscape at the time of the EC’s Safe Harbor and Privacy Shield adequacy determinations. For more information on EO 14086, see our previous article, here. 

The question now is whether the draft adequacy decision can find support from other EU institutions and, eventually, whether it can survive judicial scrutiny by the CJEU.

A robust stance by the European Commission

In its assessment of U.S. laws, the EC focuses on the points raised by the CJEU in Schrems II, namely necessity and proportionality standards for the collection of signals intelligence by U.S. intelligence agencies, as well as effective judicial redress mechanisms. Not surprisingly, the EC devotes a substantial portion of the draft adequacy decision evaluating how the EO 14086 helps protect EEA personal data and EEA data subjects.

The EC highlights that EO 14086 requires privacy considerations to be taken into account from the initial stage when intelligence priorities are developed (and that surveillance may occur only based on those limited intelligence priorities). Importantly, the EC clarifies that the changes in U.S. laws, although being already in force, must be actually implemented by the relevant members of the U.S. intelligence community (required within 1-year of issuance of EO 14086). The draft adequacy decision explicitly would be contingent on adoption of EO 14086’s safeguards into policies and procedures of the U.S. intelligence community, and access by EEA data subjects to the 2-layer redress mechanism (requiring establishment of the mechanism by DOJ regulations and the U.S. Attorney General’s designation of the European Union as a “qualifying state”).

It is worth noting how the EC has bolstered its draft adequacy decision by including in its analysis of the protections already available under U.S. law that the CJEU either already rejected, or did not focus on in its invalidation of the Privacy Shield’s adequacy determination. This may indicate the EC’s anticipation of future challenges to its determination. Notably:

• The EC spends time outlining the safeguards (including redress) available to EEA data subjects under existing law, even prior to implementation of EO 14086. These are the safeguards, such as approval required by the Foreign Intelligence Surveillance Court of warrants used under FISA 702, that the CJEU explicitly rejected.

• The EC reviews the limitations on government access to data in the law enforcement context, though this context was not a focus of the CJEU’s privacy shield invalidation, and was not detailed in the EC’s Privacy Shield adequacy determination.

Are there changes in comparison to the EU-U.S. Privacy Shield?

While the overall structure and approach of the draft adequacy decision for the DPF correspond to the invalidated adequacy decision for the EU-U.S. Privacy Shield, there are some notable changes, including the following: 

• The draft adequacy decision now expressly takes into account and references relevant provisions of the GDPR. This was not the case for the Privacy Shield adequacy decision, which was issued in 2016 before the GDPR entered into force. The application of the GDPR leads to a slightly expanded scope of the Principles, which now also cover pseudonymized (or “key-coded”) research data.

• The EC’s assessment of U.S. laws is updated to include the changes under U.S. law imposed by the new EO, with an emphasis on proportionality and effective redress options as required by the CJEU. 

• The principles that U.S. organizations will have to comply with in order to self-certify under the DPF are largely based on the principles established under the Privacy Shield framework, but have been slightly tweaked. However, organizations that were/are already certified under the Privacy Shield framework, are likely well positioned to also self-certify under the DPF.

What are the next steps in the adoption process?

With the publication of the draft adequacy decision, the EC has kicked off a process for the adoption of a final adequacy decision greenlighting the DPF’s use, which is expected to take approximately six months:

• As a first step in the adoption process, the draft adequacy decision was transmitted to the European Data Protection Board (“EDPB”) for its opinion. Although the opinion of the EDPB is not binding for the EC, it is a crucial element revealing the aligned position of the European DPAs on the adequacy decision.

• Second, the EC must obtain approval from a committee composed of representatives of the EU Member States.

• Third, the European Parliament has a right of scrutiny over adequacy decisions.

The draft adequacy decision contains placeholders for the determinations reached as part of the adoption process and, if all these steps are successfully completed, the EC will adopt the final adequacy decision. Once the finalized decision is published in the EU Official Journal, it will take immediate effect.

What is the impact now?

Organizations wishing to use the DPF for transfers of personal data to the United States should closely monitor the further process for the adoption of the adequacy decision. Companies should particularly keep an eye on the coordinated position of the EDPB on the draft adequacy decision, since the national DPAs have so far only issued mixed opinions on the changes in U.S. law based on the EO, ranging from rather critical assessments (e.g. by the DPA of Baden-Wuerttemberg) to optimistic evaluations (e.g. by the DPA of Hamburg).

Until the adoption of a final adequacy decision, organizations should continue to focus on the existing transfer mechanisms, such as the European Commission’s Standard Contractual Clauses for international data transfers (SCC). To this end, companies should keep in mind that the final deadline for completing the transition from the old set of SCC to the new SCC is 27 December 2022.

Crucially, companies can use the draft adequacy determination to inform their transfer impact assessments. The EC provides the most detailed public view we have seen of how U.S. law might be interpreted for the purposes of evaluating lawfulness of EU-U.S. data transfers. In particular, the EC outlines its views on (1) law enforcement access mechanisms, (2) signals intelligence access mechanisms (e.g., FISA 702 and National Security Letters), and (3) the safeguards offered by the new EO 14086. The analysis of these laws are applicable to all Trans-Atlantic transfers, and not just to those that would be pursuant to the DPF. Ultimately, a key message of the draft adequacy decision is that, as a result of the U.S. law reforms brought about by EO 14086, the risk of unjustified, disproportionate and unchallengeable access to European personal data by U.S. government agencies has decreased to EU-compatible levels.

We will provide further updates on the adoption process for the final adequacy decision on Hogan Lovells Engage.

Authored by: Eduardo Ustaran, Bret Cohen, Henrik Hanssen, and Julian Flamant.