News Update Privacy & Data Protection
22 december 2022
On 13 December 2022, the European Commission published its new draft adequacy decision for the United States which – if adopted – would make it easier for organisations to share personal data with recipients in the US. The draft decision reflects the assessment of the European Commission that the United States ensures an adequate level of data protection for personal data, paving the way for finalisation of the EU-US Data Privacy Framework ("DPF").
Background
The DPF aims to address the concerns raised by the Court of Justice of the European Union ("CJEU") in its Schrems II judgment of 16 July 2020, which invalidated the previous US adequacy decision. These concerns centred around disproportional bulk surveillance of EU citizens' personal data by US intelligence agencies and the lack of judicial redress against this for EU citizens. The DPF includes a new Executive Order by President Biden which introduces safeguards intended to address the CJEU's concerns in Schrems II, including: (i) requirements to limit access by US intelligence authorities to what is necessary and proportionate to protect US national security; (ii) enhanced oversight of activities by US intelligence services to ensure their compliance with the safeguards; and (iii) the establishment of an independent and impartial redress mechanism for EU citizens.
Next steps
The draft adequacy decision will now move through an extensive stakeholder consultation. Firstly, the European Data Protection Board will give its non-binding opinion. Secondly, a committee composed of representatives of the EU Member States will need to grant its approval. Finally, the European Parliament has a right to scrutinise the draft adequacy decision. The decision is expected to be finalised and become effective around July 2023.
Key takeaways
If it passes these hurdles, the DPF will operate in much the same way as the previous Privacy Shield and Safe Harbour principles. Under the DPF, however, US organizations will be able to self-certify their adherence to a set of principles (the "Principles"). The key obligations under these Principles include:
- Notice: organizations must inform individuals about their adherence to, among other things, the EU-US DPF and the Principles;
- Purpose limitation: personal data must be limited to the information that is relevant for the purposes of processing;
- Security measures: organizations must take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
- Choice: organizations must offer individuals the opportunity to choose (i.e., opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected;
- Accountability for onward transfers: onward transfers of personal data to a third party in the US or to another third country may only take place subject to specific requirements, such as the entering into of an agreement with the third party;
- Access: individuals must have access to their personal data that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles; and
- Recourse, enforcement and liability: at a minimum, to ensure proper privacy protection mechanisms must include: (i) readily available independent recourse mechanisms, (ii) follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true; and (iii) obligations to remedy problems arising out of failure to comply with the Principles, including sanctions that are sufficiently rigorous to ensure compliance.
Under the DPF, it will therefore no longer be necessary to enter into Standard Contractual Clauses ("SCCs") to transfer personal data to them from the EU or to complete transfer impact assessments in this regard.
The draft adequacy decision provides for its own suspension or revocation by the European Commission if ongoing monitoring by the European Commission or an EU Member State reveals any detrimental changes to the legal framework and practices of the US.
Privacy activists have already criticised the draft adequacy decision, claiming that the safeguards introduced by the new Executive Order are insufficient to address the CJEU's concerns in Schrems II.
Businesses do not have to take any immediate action at this point. Until the draft adequacy decision is finalised, the new Executive Order can be taken into account when completing transfer impact assessments. However, legal challenges to a finalised adequacy decision may be expected. Therefore, it is noted that an adequacy decision is not the only mechanism to legitimise international data transfers. Organizations can still rely on other transfer tools for EU-US data transfers, such as SCCs, as adopted by the European Commission last year.
For more information on the proposed EU-US Data Privacy Framework and other international transfer mechanisms, please do not hesitate to contact Houthoff's Privacy and Data Protection Team.