Just a few weeks ago, on the 10th of July 2023, the European Commission adopted the long-awaited Implementing Decision pursuant to Regulation (EU) 2016/679 (the 'GDPR') of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework ('the Adequacy Decision'). As stated by the President Ursula von der Leyen, "The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic".
In truth, this new trans-Atlantic Data Privacy Framework (the 'Framework') is the third attempt by the European Commission to reach a stable agreement for data transfers between the 27 EU Member States, including Norway, Iceland, and Liechtenstein, to the US. Under Article 44 of the GDPR, transfers of personal data from the EU or EEA to a third country is prohibited, unless an appropriate data transfer mechanism is in place. The GDPR identifies various types of data transfer mechanisms, including the implementation of standard contractual clauses or binding corporate rules, and even caters for derogations for particular processing operations. One of the strongest data transfer mechanisms identified under the GDPR is an adequacy decision i.e. where the European Commission determines, by means of an implementing act, that a non-EU country ensures 'an adequate level of protection'. Such 'adequate level' of protection for personal data is essentially equivalent to the level of protection within the EU. Hence, the outcome of an adequacy decision is for personal data to flow freely from the EU Member States to a third country, without being subject to any further conditions or authorisations.
The adoption of the Adequacy Decision, therefore establishes that data transfers from any public or private entity in the EEA to organisations of the US which are certified under the 'Data Privacy Framework List' do not require the implementation of any additional safeguards for the transfer to take place. As aforementioned, this is not the first time an attempt has been made to regulate the transfer of personal data across the Atlantic, so what is different this time?
In the year 2000, we saw the first attempt made through the establishment of the US-EU Safe Harbour. This mechanism lasted for a number of years, however in 2015, the Court of Justice of the European Union ('CJEU') in Schrems I invalidated the EU-US Safe Harbour in light of the vast US surveillance laws, which allowed surveillance without the need for probable cause or judicial approval. The second attempt was made in 2016 with the implementation of the Privacy Shield, which was largely based on its previous predecessor, the Safe Harbour. Although an improvement, the Privacy Shield still presented major points of concern on collection of massive amounts of data and so was invalidated by the CJEU in Schrems II on the 16th of July 2020.
The Framework introduces new binding safeguards and redress mechanisms, in order to address concerns and mainly incorporates two additions. Firstly, that the access to data is limited to what is necessary and proportionate to protect national security, and secondly, it establishes an independent and impartial redress mechanism for EU-based individuals.
Both additions were implemented by virtue of the US Executive Order regarding the 'Enhancing Safeguards for United States Signals Intelligence Activities', signed by President Biden in October 2022. The Executive Order provides for binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security and also enhances the oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities.
The redress mechanisms relate to independent dispute resolution tools, as well as arbitration mechanisms. Individuals are encouraged first to lodge a complaint with the respective US organisation, however data subjects can escalate the matter by submitting a complaint to their national data protection authorities, which in turn would transmit the complaint to the European Data Protection Board ('EDPB'). The EDPB would relay the complaint to the relevant US authority, particularly the Civil Liberties Protection Officer ('CLPO') of the US intelligence community which is responsible for the investigation of complaints and the monitoring of compliance of the US intelligence agencies with privacy and fundamental rights. Throughout this process the data subject will be provided with information regarding the complaint handling process, including with regard to the outcome of the lodged complaint, by the relevant data protection authority. Any decisions of the CLPO can be appealed before the newly created Data Protection Review Court ('DPRC'). In this case, the DPRC holds the power to investigate complaints brought forward by EU individuals and obtain relevant information from intelligence agencies, allowing it take binding remedial decisions. Once the CLPO or the DPRC have concluded their investigation, a determination of the complaint will establish whether there was a violation of US law or whether the violation was found and remedied.
This Adequacy Decision will be subject to a first review within one year after its entry into force, to verify whether all relevant elements have been fully implemented and are functioning effectively in practice. Depending on its outcome, the EU Commission will decide, in consultation with the EDPB and the EU Member States, on the periodicity of subsequent reviews, which will in any event take place at least every four years. In any case, adequacy decisions may be adjusted or withdrawn, the latter where the level of the third country is no longer deemed to be adequate.
Although the Adequacy Decision has been welcomed by many, it's not all roses. For instance, although Section 702 of the US Foreign Intelligence Surveillance Act (FISA) (which regulates bulk surveillance) was adjusted via the new US executive Order 14086 to include the word 'proportionate' in order to conform with Article 52 of the EU's Charter of Fundamental Rights (CFR), the interpretation of the same term is still in the hands of the US authorities. Additionally, the data subject will still not have any direct interaction with the CLPO and the DPRC, acting as partially independent executive bodies, and therefore the outcome of theses redress mechanisms has been argued to be a rehash of the previous problematic role of the 'Ombudsman' as set out under the predecessors of the Framework.
There may be a possible Schrems III decision on the horizon, as hinted by the NGO noyb, founded by Max Schrems. In such a case, a final decision would not be given by the CJEU before the end of 2024, and the CJEU may also decide to suspend the Framework during the course of the proceedings. But those are pleasures yet to come...what does the adoption of the Adequacy Decision mean for EU-based companies that process personal data?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.