Jul 122023

EU-U.S. Adequacy Once Again

Alan Charles Raul, William RM Long, Maarten Meulenbelt and Lauren Kitces
, , , , , , , , , , ,

On July 10, 2023, the European Commission issued its Final Implementing Decision granting the U.S. adequacy (“Adequacy Decision”) with respect to companies that subscribe to the EU-U.S. Data Privacy Framework (“DPF”).

This decision, coordinated with the Attorney General’s determination that the EU and EEA countries are “qualifying states” under President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence (“EO”), follows nearly a year and a half of intense collaboration between the EU and U.S. to develop a durable solution to international data transfers between the two jurisdictions.

The process has been underway for nearly three years since the invalidation of Privacy Shield as a mechanism to legitimate personal data transfers from the EU by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision.

Key Takeaways

  • As noted in the Adequacy Decision: “taken as a whole, the oversight mechanisms and redress avenues in U.S. law enable infringements of the data protection rules to be identified and punished in practice and offer legal remedies to the data subject to obtain access to personal data relating to him/her and, eventually, the rectification or erasure of such data.”
  • Significantly, as “qualifying states” under the Executive Order, the Attorney General has determined (based on a “holistic,” detailed DOJ legal analysis of European surveillance laws, and a corresponding supporting letter from the EU) that the EU/EEA intelligence agencies provide “appropriate safeguards” for the personal data of US Persons that is transferred to the territories of the EU/EEA, and that those countries will permit the flow of data to the U.S. for commercial purposes.
  • Companies whose existing membership in the Privacy Shield is current are automatically and immediately entitled to receive data transfers from the EU under the DPF.
  • Companies that now wish to join the DPF may self-certify through the soon to be released new Department of Commerce website.
  • Entities relying on SCCs or BCRs are able to rely on the analysis in the Adequacy Decision as support for their transfer impact assessments required by the Schrems II decision regarding the equivalence of U.S. national security safeguards and redress.
  • A legal challenge to the DPF is certain, but there is a greater chance this adequacy approach will prevail as a result of new and tighter substantive standards, meaningful redress, relevant changes in European jurisprudence, and a growing international consensus that democratic nations have generally comparable commitments to protect privacy while conducting surveillance.

Below we breakdown key details of the DPF, how companies can join, the status of non-DPF data transfers, and the likely future path for the DPF.

DPF Requirements

The DPF’s foundation is found in the EO and the EU-U.S. Data Privacy Framework Principles (“DPF Principles”).

The Adequacy Decision requires that there are periodic reviews of the DPF carried out by the Commission, EU DPAs, and appropriate U.S. authorities. If there are indications identified in a review that an adequate level of protection is no longer present, then the DPF can be suspended, amended, repealed, or limited in scope.

The first such review will occur in July 2024. This is significantly shorter than the four-year review time frame for review of UK adequacy, but it is not structured as a sunset deadline, unlike the UK adequacy decision.

Fulfillment of Executive Order 14086

On October 7, 2022, President Biden released the EO, which addressed the key issues noted by the CJEU in Schrems II, including the need for greater limitations and safeguards of surveillance activities and an independent redress mechanism.

The various administrative steps required by the EO were completed leading up to the issuance of the Adequacy Decision. This included:

  1. The Office of the Director of National Intelligence (“ODNI”) confirming on July 3, 2023, that the Intelligence Community related policies and procedures have been updated to implement the privacy and civil liberties safeguards specified in the EO. The Commission recognized the newly added considerations for necessity and proportionality addressed by the EO in the Adequacy Decision.
  2. The creation of an independent redress mechanism that will be available to all EU/EEA data subjects. Complaints will be initially filed through the appropriate EEA jurisdiction for the individual, and then transmitted to the U.S. by the EDPB. In the U.S., there will first be an investigation by the ODNI Civil Liberties Protection Officer followed by the possibility of appeal to the newly created Data Protection Review Court. This process, established by Attorney General regulations, will take place within the Executive Branch and will not require any finding of Article III judicial “standing” (i.e., injury-in-fact) in order to investigate complaints fully and compel remediation if any surveillance violations are found.

In satisfaction of the EO, the Attorney General’s designation of the EU/EEA as “qualifying states” means that they provide appropriate safeguards for U.S. personal data obtained by European national security agencies after the data is transferred to the EU/EEA, and that the EEA countries will permit the transfer of EU personal data to the U.S. for commercial purposes. These reciprocity obligations for the EU/EEA side will help assure that U.S. commitments in support of the Framework are not one-sided.

In a holistic detailed legal analysis, the Department of Justice found that the (1) EU/EEA member countries require appropriate safeguards in the conduct of signals intelligence activities for United States persons’ personal information that is transferred from the United States to the territory of the member countries of the European Economic Area; (2) EU/EEA member countries will permit the transfer of personal information for commercial purposes between the territory of the member countries of the European Economic Area and the territory of the United States; and, (3) the designation [as qualifying states] of the EU, Iceland, Liechtenstein, and Norway would advance the national interests of the United States.

In support of its findings, the DOJ draws significantly on decisions of the European Court of Human Rights (“ECtHR”), which is the European court with primary jurisdiction over national security and the surveillance privacy standards for EEA Member States.

ECtHR rulings have shaped the boundaries of necessity and proportionality requirements for EEA governmental surveillance activities, and the DOJ determined that the boundaries established by EEA member state laws are sufficient to meet the qualifying state requirements in the EO. While the DOJ recognizes that some EEA member states may in fact have lesser standards than those afforded in the U.S., it explicitly recognizes that differing approaches from countries “sharing democratic values and a commitment to the rule of law” can still constitute sufficient protections.

This conclusion is a key component in finalizing the DPF and helps to facilitate the roughly $1 trillion in annual trans-Atlantic trade that requires dataflows.

EU-U.S. Data Privacy Framework Principles

The EU-U.S. Data Privacy Framework Principles (“DPF Principles”) are set forth in Annex I of the Adequacy Decision and are substantively the same as the Privacy Shield Principles. This continuity seems appropriate given that the concerns raised in Schrems II concerned only national security surveillance and did not take issue with the Privacy Shield Principles.

Joining the DPF

Companies that have maintained their membership in the Privacy Shield will automatically and immediately be part of the DPF. Such Privacy Shield companies will have 3 months to make conforming changes to reflect references to the DPF in their various relevant policies and other materials.

Non-Privacy Shield members that now want to join the DPF, will go through a process that closely tracks the prior Privacy Shield process.

This will include drafting an appropriate privacy policy, selecting and identifying a recourse mechanism, and self-certifying (after undertaking an appropriate, internal conformity assessment to assure compliance with the Framework Principles).

As a reminder, this process is only available to entities that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation. At the time of publication, the new website for the DPF is not yet live, but the Department of Commerce has announced that a new website will soon be available and begin to accept new self-certifications shortly.

Importantly, the Department of Commerce has also announced that companies will also immediately be able to self-certify to the UK and Swiss extensions of the DPF, but that the UK component won’t be live until the finalization of the separate and ongoing UK-U.S. adequacy process.

Companies certified to the DPF will be listed on the website for easy reference.

Use of Other Transfer Methods

The recent finalization of the Adequacy Decision as well as the EO and Attorney General determination are important not just for the DPF, but for all Article 46 EU-U.S. data transfer mechanisms.

While entities will now be able to sign-up to the DPF and obviate the need to use standard contractual clauses (“SCCs”) or binding corporate rules (“BCRs”) (at least in certain circumstances), the fact remains that a significant amount of data has been processed subject to these transfer mechanisms and in many instances will continue to be so processed. Therefore, support for these transfer mechanisms remains a key consideration for EU-U.S. personal data transfers.

To this end, entities relying on SCCs or BCRs will now be able to rely on the analysis in the Adequacy Decision in their transfer impact assessments, as was highlighted in the FAQs released by the European Commission.

Challenges Expected

Unsurprisingly, Max Schrems has already declared through his not-for-profit entity, noyb, that he will mount a challenge to the newly made adequacy assessment.

Aside from Schrems, there is a possibility that a legal assessment of the DPF will arise much sooner. The Irish Data Protection Commissioner has issued recent decisions regarding transfers of personal data from the EU to the U.S. that are being appealed. As part of the appeals process, the Irish High Court may need or choose to address the sufficiency of the EO and/or the DPF to resolve the national security concerns raised by the CJEU regarding international transfers to the U.S.

The ability of the DPF to survive a legal challenge seems significantly higher than in the past.

The new approach has substantive standards embodied in the EO, a meaningful redress mechanism where potential surveillance violations will be thoroughly and independently investigated, a focus on the applicable rulings of the ECtHR and new jurisprudence post-dating Schrems II from the CJEU,  and a comprehensive assessment and comparison of US and EU/EEA privacy and civil liberties regimes for electronic surveillance as provided by the U.S. Department of Justice. In addition, the December 2022 OECD Declaration established that that there is an international consensus that the U.S., EU Member States, and other democratic OECD members share comparable standards and commitments with regard to the national security surveillance they conduct.

Hear More from the Experts

Join Sidley and experts who played a role in the crafting the DPF and the supporting U.S. materials and processes on July 13, 2023, at 11am EST at a webinar hosted by OneTrust DataGuidance.

You can see more information and register here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

William RM Long

London

wlong@sidley.com

Maarten Meulenbelt

Brussels

mmeulenbelt@sidley.com

Lauren Kitces

Washington, D.C.

lkitces@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.