European Commission Green Lights EU-US Data Privacy Framework, Paving Way for Freer Data Flows to the United States
In a much-anticipated move, the European Commission (Commission) has officially adopted its adequacy decision (Decision) for the EU-U.S. Data Privacy Framework (Framework), which provides for simplified transfers of personal data from the European Union to the United States in compliance with the General Data Protection Regulation (GDPR). Under the Framework, controllers and processors may transfer personal data of EU data subjects to Framework-certified entities in the United States without an additional mechanism authorizing such transfer (which, recently, has often been for companies to enter the Standard Contractual Clauses (SCCs), drastically increasing some companies’ contracting and compliance obligations). While the prior two versions of the Framework have been invalidated — causing some chaos for certified bodies — and the new Framework will most certainly be challenged, and even struck down, it could offer a years-long reprieve for companies looking to avoid prolonged contract negotiations and scrutiny of the sufficiency of transfer impact assessments (TIAs).
Through this adequacy decision, “the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the [Framework] from a controller or a processor in the Union to certified organizations in the United States.” This was the exact stance of the Commission under the previous regime, the EU-U.S. Privacy Shield (Privacy Shield). Under the GDPR, transfers between the EU and the U.S. must have a lawful basis — a passport so to speak — which can be an adequacy decision (such as the Framework or the Privacy Shield) or the imposition of special requirements on the recipient of the data in the United States (data importer), such as SCCs or Binding Corporate Rules (BCRs) (the SCCs are contractual obligations and the BCRs are approved internal rules and standards).
In Schrems II,1 the Court of Justice of the European Union (CJEU) determined that the Privacy Shield was fundamentally flawed because it prioritized U.S. national security, public interest, and law enforcement over the privacy rights of data subjects. First, the CJEU found that use of personal data by U.S. surveillance programs was not limited to what is strictly necessary and proportional as required by the GDPR. Second, the court held that the Privacy Shield did not provide data subjects with a right to effective legal remedies in the United States because U.S. intelligence law lacks individualized protections, such as actionable rights of challenge before U.S. courts that are essentially equivalent to privacy rights guaranteed in the EU, and the ombudsperson established by the Privacy Shield lacked independence and power to adopt decisions that are binding on U.S. intelligence services. Relatedly, according to the CJEU, authorities of the EU Member States have insufficient powers and means to take effective action in relation to data subjects’ complaints based on allegedly unlawful processing in the United States.
With respect to SCCs and BCRs, the CJEU indicated that these, too, would be insufficient absent “supplementary measures” to ensure adequate protection for personal data transferred to the United States for the same reasons. But the CJEU provided scant detail in Schrems II on what such supplementary measures might look like.
Thus, the European Data Protection Board (EDPB) published new guidance (Recommendations) that added prescriptive detail to offer practical guidance for the thousands of companies engaging in transfers of personal data from the EU to the United States on a daily basis. The Recommendations served to help fill the gap in the Schrems II decision with respect to practical implementation of sufficient “supplemental measures.” The Recommendations set forth a six-step process for data exporters, in collaboration with data importers where appropriate, to identify the need for and to adopt supplementary measures when necessary. While the Recommendations include examples of a number of scenarios where supplementary measures may be effective, the EDPB acknowledged that there would be situations where supplementary measures will not be sufficient to ensure compliance. In such cases, data transfers to third countries would be prohibited.
In addition, six months later, the Commission published new SCCs for personal data transfers. These new SCCs attempted to address the Schrems II finding that the old ones may not provide adequate protections for personal data transferred to non-European Economic Area (EEA) countries, such as the United States, in which the government may have broad surveillance powers and provide limited opportunities for data subjects to exercise their rights. In addressing Schrems II, the new SCCs require the parties to determine whether the third country provides adequate protection based on the nature of the personal data and the protections afforded under local law. In fact, the new SCCs impose additional obligations on both data exporters and data importers to “prove” they can comply with their obligations by conducting a TIA. The TIA criteria and risk factors to be taken into account, include (1) the transfer’s specific circumstances; (2) the destination country’s laws and practices; and (3) the relevant contractual, technical, and organizational safeguards that the parties implement in addition to obligations under the SCCs. The parties may also consider the data importer’s previous practical experience with public authorities’ requests for access to personal data.
This process of identifying supplementary measures to the SCCs and ensuring that transfers can be made to the United States in compliance with the GDPR has turned into a massive compliance obligation for companies to conduct these TIAs with respect to every transfer made on a contract-by-contract basis. Many controllers in the EU want to evaluate and challenge the sufficiency of data importers’ TIAs, drastically increasing contracting time and burden.
Path Towards the Framework
Following the Schrems II decision and as the EU was increasing the compliance burdens associated with relying on the SCCs, the United States reacted by trying to address the main issues identified by the CJEU. The Biden administration’s October 2022 Executive Order 14086 (EO 14086) addressed the two major issues identified in Schrems II. First, in response to the CJEU’s finding that U.S. law permitted overbroad and disproportionate collection of personal data by U.S. law enforcement and intelligence agencies, EO 14086 requires (1) those activities be limited to defined national security obligations and take into consideration the privacy and civil liberties of individuals, (2) enactment of handling requirements for personal data collected through such activities and other policies and procedures, and (3) extension of the responsibilities of officials to ensure compliance and remediation of non-compliance.
Second, to address the CJEU’s finding that the United States lacked a cause of action for aggrieved EU data subjects whose personal data was transferred to the United States, EO 14086 provided for a multilayer mechanism for individuals to obtain independent and binding review and redress with regard to claims relating to unlawful processing of their data through U.S. signals intelligence.
The Framework and the Adequacy Decision
The Framework is based on a company’s public commitment to comply with the Framework Principles (Principles) issued by the U.S. Department of Commerce (DoC). These Principles include:
- Notice: Providing notice to individuals about the use, disclosure, and protection of their personal data and with information about how to exercise privacy rights (including levying complaints)
- Choice: Providing clear, conspicuous, and readily available mechanisms for choice over certain disclosures and for all secondary uses inconsistent with the original purpose
- Accountability for Onward Transfers: Taking responsibility, through notice and contractual terms, for data transferred to third parties
- Security: Reasonably and appropriately protecting personal data
- Data Integrity and Purpose Limitation: Processing personal data only for the purposes needed and ensuring ongoing accuracy of that data
- Access: Providing access and other individual privacy rights
- Recourse, Enforcement, and Liability: Ensuring robust mechanisms for ensuring compliance with the Principles, which includes several different mechanisms where consumers can bring complaints and be heard
In addition, the Principles have Supplemental Principles designed to either (1) further elucidate the main Principles or (2) to describe special circumstances for special kinds of personal data. For example, unlike prior versions of EU-U.S. adequacy decisions, the Framework covers clinical trial data, but requires specific precautions be taken with respect to notice and consent for use of that sensitive data set. As another example, the laws applicable to human resources data of the EU Member States need to be respected (as well as the Framework) prior to transfer. Finally, the Recourse, Enforcement, and Liability Principle is bolstered by a verification requirement, where companies must ensure its implementation of the Principles has been adequate (through a self-assessment or outside review).
The Decision relies on the Principles, as well as on President Biden’s Executive Order, to find adequacy for certifying companies. The Decision indicates that EO 14086 “strengthens the conditions, limitations and safeguards that apply to all signals intelligence activities,” effectively addressing one of the Schrems II findings. The Decision also discusses, at length, the Recourse, Enforcement and Liability Principle, noting that the Principle “provides data subjects with a number of possibilities to enforce their rights, lodge complaints regarding non-compliance by EU-U.S. organizations and to have their complaints resolved, if necessary by a decision providing an effective remedy.” Because individuals can bring a complaint directly to the company, an independent dispute resolution body, to national data protection authorities, to the DoC, or to the FTC, or invoke binding arbitration, the Decision finds adequate redress, addressing the second major point of the Schrems II decision.
The Adequacy Decision itself seems to be a roadmap to try to address any (very likely) challenges.
What About Challenges to the Framework?
It seems highly likely that the Framework will, as with its predecessors, be challenged and, possibly, be invalidated at some point in the future. The NOYB (the organization headed by Max Schrems) has indicated it will challenge the Framework; however, whether by NOYB or otherwise, the process of challenging the Framework is likely to be protracted, taking years for resolution.
In addition to the challenge itself taking a significant amount of time to be resolved, whether the challenge will be successful will depend on whether the court believes that the issues previously identified were actually remediated by the U.S. efforts on both minimizing surveillance efforts and on providing an effective redress mechanism.
The United Kingdom and Switzerland
The United Kingdom (UK) and Switzerland, not being part of the EU, do not gain the benefit of the Framework and companies, for now, will need to continue to rely on the SCCs for transfers directly from those countries to the United States, even if certified.
While there is not currently a similar mechanism to ensure the free flow of data between the UK and Switzerland and the United States, the United States and the UK have announced an intention to enter into a “Data Bridge” extending the Framework to UK transfers, which we expect to be finalized in the short term.
There has not, to date, been any indication that Switzerland will similarly piggyback on the Framework, but the Swiss version of the SCCs remain a viable transfer mechanism.
To be certified under the Framework, companies must submit an application to the DoC. The company’s Framework application must include, among other things, a description of the purposes for which the company will process personal data, the personal data that will be covered by the certification, the method the company will use to verify its compliance with the Principles (i.e., self-assessment or outside compliance reviews), the statutory body that has jurisdiction to hear any privacy-related claims against the company, and an independent recourse mechanism to investigate unresolved Principles-related complaints. Additionally, failure to comply with the Principles may subject companies to the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation. Companies must recertify annually to continue taking advantage of the Framework.
By certifying to the Framework, importing entities effectively short-cut the TIA, because the Commission has determined as a rule that personal data transferred to certifying importers is adequately protected. Note that the Framework allows certain transfers to be made pursuant to the Framework and others to rely on other transfer mechanisms, like consent or the SCCs. Therefore, if a company wanted to rely on its intragroup data transfer agreement for purely internal transfers (that do not have a lot of negotiation hassle) but wanted to use the Framework for other transfers, this would be an easy way to lessen the certification burden itself. A TIA would still be required for those intragroup transfers conducted pursuant to SCCs, but only internal review of the TIA would be necessary.
Understandably, companies may be concerned that certification and compliance with the Framework will impose additional obligations or requirements on certifying bodies. The Principles largely mirror practices that many U.S. companies either already implement or will need to implement as more states pass their own consumer privacy laws. For example, the Principles include notice, choice, data minimization, data security, and the right of access. These principles are nearly ubiquitous in other legal regimes to which U.S. companies are increasingly subject. Additionally, many other legal regimes require companies to assess and audit their privacy practices and to have records of processing activities and data protection impact assessments, which should help with the certification process and compliance with the Principles. These efforts can be leveraged to support an application for Framework certification. In addition, most of the burdens in the Framework are already on companies using the SCCs. One potential downside of certifying will be public compliance with the Framework and potential enforcement for failure to comply with the Framework by the FTC or others. However, the benefits of certifying under the Framework may outweigh the burdens for many U.S. companies.
Many U.S. companies may want to consider certifying to the Framework to rely on it for some (if not all) cross-border transfers from the EU due to the substantial burden that negotiating the SCCs involve. While the SCCs themselves are relatively straightforward, discussions about whether the additional safeguards identified in TIAs are sufficient are often not.