Impact of European Commission support for EU-U.S. Data Privacy Framework and next steps

On 13 December 2022, the European Commission (“EC”) published its draft adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”) that is intended to foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) in its Schrems II judgment. The draft adequacy decision is based on a self-certification mechanism similar to the invalidated EU-U.S. Privacy Shield and takes into account the changes in U.S. law introduced by U.S. Executive Order 14086 Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). In light of these changes, the EC concludes that the U.S. ensures an adequate level of protection for personal data transferred from the EU to the U.S. The publication of the draft adequacy decision marks the launch of the process for the adoption of a final adequacy decision in 2023. Additionally, this development has immediate direct implications for the risk assessment of personal data transfers to the U.S.

Setting the scene

The DPF is the result of a nearly two-year negotiation between the EU and U.S. governments to replace the EU-U.S. Privacy Shield following its invalidation by the CJEU in July 2020. With its draft adequacy decision, the EC has reached its initial determination that companies certifying compliance to the DPF principles can provide European data subjects with a level of data protection that is “essentially equivalent” to that provided within the EU when their personal data is transferred to the U.S..

Chapter V of the General Data Protection Regulation (“GDPR”), as further interpreted by the CJEU, restricts transfers of personal data from the European Economic Area (“EEA”) to third countries unless the EC has determined that the laws in the third country, or specified sectors within the third country, ensure a level of data protection that is “essentially equivalent” to that provided within the EEA or similar protections are offered through enforceable transfer mechanisms (e.g., such as the EC’s standard contractual clauses, or Binding Corporate Rules).

The DPF is the third iteration of a trans-Atlantic framework for lawful data transfers. While the EC previously reached adequacy determinations for the EU-U.S. Safe Harbor and its successor, the EU-U.S. Privacy Shield, those determinations were set aside by the CJEU in its decisions in Schrems I and Schrems II (read our coverage here) over concerns that the EC had failed to adequately consider the scope of potential access to personal data by U.S. intelligence agencies and the perceived lack of redress for EU data subjects. In both cases, the CJEU found that potential for indiscriminate or “bulk” surveillance of EU data subjects whose personal data had been transferred to the U.S. was incompatible with EEA law.

U.S. law reforms

Alongside the ongoing trans-Atlantic work on the DPF, the White House on 7 October 2022 issued EO 14086, which adds a layer of safeguards on top of U.S. law authorizing signals intelligence that apply to EU citizens. EO 14086 established principles-based safeguards focused on the EU law concepts of necessity and proportionality that members of the U.S. intelligence community must consider before engaging in surveillance activities, and established a two-layer redress mechanism that individuals can use to challenge alleged violations of these principles. EO 14086 has ushered in a significant shift in the authority U.S. intelligence agencies may use to surveil European data subjects compared to the legal landscape at the time of the EC’s Safe Harbor and Privacy Shield adequacy determinations. For more information on EO 14086, see our previous article, here.

The question now is whether the draft adequacy decision can find support from other EU institutions and, eventually, whether it can survive judicial scrutiny by the CJEU.