New adequacy decision for transfers of personal data to the United States, on hold?

The transfer of personal data between the United States and the European Union has been a sensitive issue for several years. Previous systems adopted by the United States were initially approved by the European Commission in adequacy decisions that ensured an equivalent level of protection to European data protection laws, namely the GDPR. However, these adequacy decisions were later invalidated by the CJEU in the landmark Schrems I and Schrems II rulings, concerning the Safe Harbor and Privacy Shield frameworks, respectively.

The European Commission has now adopted a new adequacy decision for the Data Privacy Framework (DPF), which it considers to be an improved version of previous U.S. systems resulting from negotiations between the United States and the European Commission. However, advisory bodies to the adequacy decisions, such as the European Data Protection Board (EDPB) and the European Parliament, have expressed reservations about whether this new system offers sufficient protection in line with the GDPR, leaving doubts about its durability if challenged before the CJEU.

The Data Privacy Framework (DPF), a 2.0 Version of the Privacy Shield?

In the context of the discussions on the draft adequacy decision defining a new transatlantic data protection framework, the European Data Protection Board (EDPB) and the European Parliament raised concerns in May regarding the Data Privacy Framework (DPF). This text is a revised version of the Privacy Shield, which was invalidated by the CJEU in the Schrems II ruling. These institutions issued non-binding unfavorable opinions on the European Commission’s adequacy decision.

The main issue lies in the nature of the DPF, which is based on the U.S. Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) issued in October 2022, designed to address the issues raised by the CJEU in its Schrems II ruling.

An U.S. Presidential Decree to Comply with European Requirements

This presidential decree introduces definitions for key concepts in data protection, such as necessity and proportionality, which represents a significant improvement compared to previous transfer mechanisms. However, according to the European Parliament, the application of EO 14086 lacks clarity, precision, and legal certainty, as it can be amended or revoked at any time by the U.S. president, who also has the power to issue secret presidential decrees.

Furthermore, the EDPB has expressed concerns about the effective control by the newly created Data Protection Review Court (DPRC) under EO 14086.

As a reminder, the new appeal mechanism involves filing a complaint with the Civil Liberties Protection Officer of the Office of the Director of National Intelligence, with the possibility of an appeal before the new body, the DPRC.

New Protection Mechanisms Considered Insufficient…

The powers given to this body to address potential violations are broad, now including the deletion of data and greater independence compared to the previous Ombudsperson system. However, according to the EDPB, the DPRC does not appear to have sufficient independence to ensure the right to collective redress and access to an impartial court under Article 47 of the EU Charter of Fundamental Rights. For example, affected individuals will need to submit their complaints through a competent European national authority when national security or data processing by public authorities is involved. This creates a disparity in treatment based on the diverse legal situations in Europe.

Moreover, several steps still need to be completed to bring the system closer to an equivalent protection standard, according to the EDPB and the European Parliament:

• U.S. intelligence services have until October 2023 to update their policies and practices to comply with EO 14086 of 2022, addressing the issues raised by the CJEU in its Schrems II ruling.
• The U.S. Attorney General must designate the EU and its member states as countries that meet the necessary conditions for accessing the DPRC, so the Commission can assess the effectiveness of corrective measures and proposed data access mechanisms.

...But Adequacy Decision Validated by the European Commission

Despite these concerns, the European Commission, in a decision dated July 10, 2023, chose to adopt the adequacy decision, considering that the DPF provides substantial equivalence to the General Data Protection Regulation (GDPR).

According to Didier Reynders, Commissioner for Justice, “The adoption of this adequacy decision is the final step in a process aimed at ensuring safe and free data transfers across the Atlantic. It ensures the protection of individual rights in our digital, intangible, and interconnected world, where physical borders no longer matter. Since the adoption of the Schrems II ruling a few years ago, I have worked tirelessly with my American counterparts to address the concerns raised by the Court and ensure that technological progress does not come at the expense of European trust. However, as close partners sharing the same values, the EU and the U.S. have been able to find solutions based on their shared values that are both legal and achievable in their respective systems.”

As a result, personal data can flow freely and securely from the European Economic Area to the United States, without requiring additional guarantees or authorizations.

The Commission will continuously monitor developments related to the adequacy decisions, and the first review will take place by July 2024 to assess whether the protections under the DPF are effectively implemented in practice.

The CJEU may also be called upon to rule on the validity of the DPF, as it did previously with the Safe Harbor and Privacy Shield frameworks in the Schrems I and II decisions.

RSM’s Advice

This adequacy decision has come into force, and transfers to the United States can now be handled in the same way as intra-European data transfers.

RSM recommends, at least in the short term, that companies maintain the enhanced measures and safeguards they had previously implemented, or ensure that the usual compliance guarantees are in place for new business relationships, while also ensuring that all protective stipulations are added contractually, if necessary.