InfoLawGroup LLP

View Original

EU-US Data Privacy Framework in Force: EU Commission Grants Adequacy Determination to the US


by: Max Landaw

On July 10, the European Commission formally adopted its adequacy decision for the United States pursuant to the EU-US Data Privacy Framework (DPF). This culminates an approximately 9 month process since President Biden’s October 2022 Executive Order 14086 (the EO). The EO limits permitted US government surveillance activities and creates a redress mechanism for non-US residents of “qualifying states” to resolve complaints and conduct investigations regarding use of personal data by national security authorities. On June 30, US Attorney General Merrick Garland formally designated the European Union, Iceland, Liechtenstein, and Norway as qualifying states pursuant to the EO. This means that EU residents are now formally able to avail themselves of the administrative courts put in place by the EO.

What is an adequacy determination and why does it matter the US has one?

EU GDPR allows for the cross-border transfer of personal data among the 27 member states without being subject to any further safeguards or conditions. Countries outside of the EU are broadly called “third countries”. When the EU grants an adequacy determination to a third country, such as the United States, the EU is stating that cross border personal data transfers to that third country can be treated the same as an intra-EU personal data transfer because that third country provides a comparable level of protection of personal data to the EU.

Without an adequacy determination, EU to US personal data transfers needed to be subject to additional safeguards such as the standard contractual clauses. However, as we saw from the Meta Ireland case, EU data supervisory authorities have been scrutinizing EU to US personal data transfers based on the standard contractual clauses, namely because the supervisory authorities since Schrems II have been consistently holding that US importers could not provide essential equivalence to EU data protection standards due to deficiencies and overreach in US government surveillance.

This adequacy determination represents a complete reversal, where data may flow freely with no additional safeguards between an EU exporter and a US importer which signs up with the DPF.

What are the benefits of the DPF and how do we sign up?

The main benefit to the DPF is that any US company that signs up does not need to rely on additional safeguards for transferring data from the EU to the US. For most companies, this means that the standard contractual clauses are not the only option for EU to US data transfers. Companies can now choose to sign up for the DPF instead of relying on standard contractual clauses or other safeguards.

There are benefits even for US companies that do not sign up with the DPF, namely that other transfer tools such as standard contractual clauses are much less likely to be scrutinized for suitability. The EU has stated, “All the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.”

It is not yet clear how to sign up and self-certify with the DPF. There is some speculation that the US Department of Commerce plans to revamp the Privacy Shield website with instructions on how those who currently self-certify with the defunct (since Schrems II) Privacy Shield can certify with the DPF. The process for self-certifying for the DPF will also likely be similar to signing up for Privacy Shield as the two frameworks are very similar.

But how do we know if this adequacy decision will stick?

We don’t. The US has had two prior adequacy decisions invalidated via the Court of Justice of the European Union (CJEU) cases, Schrems I and Schrems II. Max Schrems’s privacy advocacy group, None Of Your Business (noyb) has unsurprisingly declared its intent to invalidate the DPF. Noyb believes it can get a case before the CJEU by the end of 2023 or early 2024. However, the likelihood is that the DPF will be a valid transfer mechanism for at least a few years.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.