The proposal released by the European Commission shall establish a new legal basis for data transfers to the US. If it were to be adopted, it would facilitate data transfers to, amongst others, American data processors. Mere hours after the proposal’s release, privacy activists started criticism the draft decision. Can we prepare us to say goodbye transfer-impact-assessment or are we on the road to Schrems III?
On December 13th, the European Commission released a draft decision, which, if implemented would see the EU-U.S. Data Privacy Framework (“the Framework”) being recognized as ensuring an adequate level of data protection. This would greatly simplify data transfers from countries under the regime of the GDPR to those US companies that decide to join the Framework. One of these simplifications would be that it would no longer be necessary to perform the so-called transfer impact assessments, which are case-by-case evaluations of the risks of the transfer and mandatory for data transfers based on the modernized standard contractual clauses.
The decision follows the Joint Statement released by the EU Commission and the United States earlier this year, where this Trans-Atlantic Data Privacy Framework was announced to have been agreed on in principle.
The Framework can be joined by US companies by committing to comply with several privacy obligations. In their statement, the EU Commission gives the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected and a requirement to ensure continuity of protection when personal data is shared with third parties. European citizens are also to gain access to free-of-charge redress avenues if personal data is handled in violation of the Framework.
In addition to the Framework, new regulations in the US are mentioned which would address the concerns raised by the Court of Justice of the European Union (CJEU) in the Schrems II judgement, the result of a trial where the Austrian lawyer-activist Max Schrems and his non-profit organization noyb triggered the invalidation of the EU Commission’s Privacy Shield.
The new US regulations referred to are the US Executive Order 14086 of October 7, 2022 and regulations issued by the US Attorney General Merrick Garland. In President Biden’s Executive Order, it reads that “the United States recognizes that signals intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information. Therefore, this order establishes safeguards for such signals intelligence activities.” It is yet to be decided whether this Executive Order will indeed change the long-held practices in US signal intelligence in a manner that will satisfy the CJEU.
According to the EU Commission, it is now provided for that access to personal data of European citizens by US intelligence agencies will be limited to what is necessary and proportional to protect national security. The creation of a US Data Protection Review Court shall further provide legal remedies to European citizens, which is purported to be an “independent and impartial redress mechanism”.
Whether the CJEU also sees the concerns it stated in Schrems I and Schrems II as eliminated by the EU Commission’s proposal remains to be seen. Noyb has already announced on the 13th of December that in their view, the US Executive Order is unlikely to fulfil the criteria set forth by the CJEU and accuses the EU Commission of flagrantly violating European fundamental rights. It must therefore be expected that also this Framework will be challenged in front of the CJEU - and students and practitioners of data protection alike must prepare themselves for a potential Schrems III.
Only time will tell whether the Commission’s draft proposal will end up simplifying EU-U.S. data transfers for good or whether it will join Safe Harbour and Privacy Shield on the legal graveyard of insufficient data protection assurances.
Companies should be advised that under no circumstances shall or can any data transfer into the US at this point in time be based upon this draft proposal. It must first pass through the different steps of the adoption procedure, which requires a submission of the draft proposal to the European Data Protection Board (EDPB), which then must be approved by a committee composed of representatives of EU member states and finally must survive scrutiny from the European Parliament. Only then can the Commission adopt the final adequacy decision.
Read the EU Commission’s press release and the draft adequacy decision here.