International: Commission's draft decision for EU-US DPF - the road to adequacy
The European Commission published, on 13 December 2022, its draft adequacy decision for the EU-US Data Privacy Framework1 ('EU-US DPF'), aimed at fostering safe data flows and addressing concerns raised by the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). OneTrust DataGuidance provides an overview of the draft decision including its impact on companies moving forward, with expert comments from Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, David Dumont, Partner at Hunton Andrews Kurth, and Mark Francis, Partner at Holland & Knight LLP.
The draft adequacy decision follows the Commission's assessment of the US legal framework, which includes the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities2 ('the Executive Order'), signed by President Joe Biden, as well as regulations establishing a Data Protection Review Court. Both of which were issued as a direct response to the Schrems II Case and were aimed at remedying the CJEU's concerns surrounding adequate redress mechanisms for data subjects and authorities' access to data.
With its draft adequacy decision, the Commission has proposed that US companies certified under the EU-US DPF will be recognised as providing an adequate level of data protection comparable to that of the EU.
In particular, David Dumont noted that "the adequacy decision heavily focuses on the US legal framework around public authority access to personal data originating from the EU. This was expected, as this goes to the core issues raised in the Schrems II judgment, in which the CJEU did not challenge the commercial principles of the Privacy Shield. Following the Schrems II judgment, the US has made significant changes in its legal framework around government surveillance to accommodate the CJEU's concerns, recognising the importance of free data flows for the transatlantic partnership. These efforts have resulted in a positive draft adequacy decision from the Commission, which will hopefully be confirmed by the European Data Protection Board ('EDPB'), the EU Member States and the European Parliament ('the Parliament').
[Moreover, highlighting that] the adoption of the adequacy decision with respect to the EU-US DPF will not only provide organisations with an additional tool to legitimise EU-US data flows, it will also be an important element to consider when performing transfer risk assessments, which are required for other transfer mechanisms, such as EU Standard Contractual Clauses ('SCCs') and Binding Corporate Rules ('BCRs'), before transferring data to the US."
Correspondingly, Mark Francis explained that "it is clear that this decision is above all else seeking to overcome the challenges that led to invalidation of the Privacy Shield framework and tackles head on the Schrems II judgment, so the most significant sections appear to be the Commission's attention to new restrictions imposed on US government surveillance, increased oversight of US intelligence authorities, and brand new redress mechanisms."
Scope of the EU-US Data Privacy Framework and its Principles
The EU-US DPF will apply to any personal data transferred from the EU to US based on the certification scheme. Therefore, organisations wishing to transfer personal data from the EU to US must first follow the procedures for self-certification and adhere to the Principles, as well as the Supplemental Principles. Certified organisations can be both controllers or processors and must enter into a contract with any EU controller to guarantee the provision of any necessary assistance. In addition to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') definitions, the Principles cover pseudonymised research data, although, data collected for publication, broadcast, or other forms public communication of journalistic material are exempt from the EU-US DPF.
Odia Kagan commented that "companies have their work cut out for them with new requirements like data minimisation, records retention limitation, purpose specification, incompatibility analysis, special treatment of sensitive information, an expanded right to opt out, revisions of privacy notices; and revisions of downstream agreements. I haven't asked him… but I would dare say that even Max Schrems, who has already been vocal about his misgivings about this arrangements, due to issues with the nature of the Executive Order, the proportionality and the independence of the new Data Protection Review Court, would support US-based companies upgrading their compliance from where it is now, to something that, while not identical to GDPR protection, is much closer to it than what they have now."
Regarding the Principles, organisations must adhere to the following for as long as they retain the personal information:
- The Notice Principle: An organisation must inform individuals about its participation in the EU-US DPF, their rights, purposes for which it collects and uses personal information about them, among other things.
- The Choice Principle: An organisation must offer individuals the opportunity to choose (i.e. opt out) whether their personal information is disclosed to a third party or used for a materially different purpose for which it was originally collected.
- The Accountability for Onward Transfer Principle: To transfer personal information to a third party acting as a controller, organisations must comply with the Notice and Choice Principles and enter into a contract with the third-party controller. Specific conditions apply to a third party acting as an agent.
- The Security Principle: organisations must take reasonable and appropriate measures to protect personal information.
- The Data Integrity and Purpose Limitation Principle: Personal information must be limited to the information that is relevant for the purposes of processing and organisations must take reasonable steps to ensure that personal data is reliable, accurate, complete, and current.
- The Access Principle: Individuals must have access to personal information about themselves, except where the burden or expense of providing it would be disproportionate to the risks to the individual's privacy or where third-party rights would be violated.
- The Recourse, Enforcement, and Liability Principle: This Principle sets out minimum mechanisms' organisations must implement to ensure effective recourse and consequences for the organisation when Principles are not followed.
In its decision, the Commission mapped the Principles against those found within the GDPR, noting some obvious mappings, such as the Security Principle to data security. Furthermore, the Commission determined that the Access Principle satisfies the protection of data subject rights and that the Recourse, Enforcement, and Liability Principles map to the concept of accountability under the GDPR. In a similar way that data processing principles under the GDPR must be read together, the Principles of the EU-US DPF should be read together to complete the compliance picture.
Odia Kagan noted,"I was a bit surprised to see the principles for the first time attached to the decision. The Principles are structured in a very similar manner to the Privacy Shield Principles but with a number of adaptations intended to get them closer to GDPR and thus the 'essential adequacy' standard. While still not fully aligned with GDPR, and in some cases not as strict as either California Privacy Rights Act ('CPRA') or the Colorado Privacy Act ('CPA'), the Principles, if implemented in earnest have a LOT of work to do for companies, both those that certified under Privacy Shield in the past and those that are re-certifying. In addition, the Federal Trade Commission ('FTC') is the one who will be in charge of enforcement, and based on what we have seen recently of FTC enforcement, we can expect this to be serious in-depth enforcement."
Access and use of personal data by US authorities
Further to the above, the Commission extensively focused on evaluating whether the conditions under which US public authorities may gain access, for criminal law enforcement and national security purposes, to data transferred to the US under the EU-US DPF meet the essential equivalence test under Article 45(1) of the GDPR. To this end, the Commission took into account several criteria, as laid down by the jurisprudence of the CJEU, notably the Schrems I and II judgments.
Specifically, in regard to both data access and use for criminal law enforcement purposes and for national security purposes, the Commission provided a detailed analysis of:
- legal bases, limitations, and safeguards;
- oversight; and
With regards to access and collection of personal data for national security purposes, the Commission evaluated, among other things, the limitations and safeguards for all US signals intelligence activities established by the Executive Order. Notably, the Commission considered that the process laid down by the Executive Order ensures that privacy considerations are taken into account from the initial stage where intelligence priorities are developed.
The EU-US DPF provides data subjects with various mechanisms to enforce their rights, lodge complaints regarding non-compliance by EU-US organisations, and to have their complaints resolved, if necessary, by a decision providing an effective remedy.
In turn, this means that, in order to be certified, organisations must meet the standards laid down by the Principle of Recourse, Enforcement, and Liability, by offering effective and easily accessible independent recourse procedures via which each individual's complaints and disputes may be examined and swiftly addressed at no cost to the individual.
There are various mechanisms available to data subjects. Individuals may choose freely to pursue any of the mechanisms, with no hierarchy or specific sequence to follow, with the only exception of the arbitral panel, which is a last resort mechanism.
Organisations must cooperate with the EU DPA when:
- the complaint concerns the processing of human resource data collected in the context of an employment relationship; and
- the organisation has voluntary submitted to the oversight of the DPA.
The DoC may also receive, review, and resolve complaints. In this regard, the DoC has committed to lay down a special procedure, whereby DPAs may refer complaints to an especially designated contact point, and subsequently track them. Similarly, the FTC has committed to establish a standardised referral process, to designate a point of contact for DPA referrals, and to exchange information on referrals. In addition, the FTC may accept complaints directly from individuals and undertake EU-US DPF investigations ex officio. However, precedence will be given to referrals of non-compliance with the Principles received from independent dispute resolution or self-regulatory bodies, the DoC, and DPAs.
Moreover, individuals may, under certain conditions, obtain judicial redress (including compensation for damages) under State consumer laws and under tort law.
When all other redress mechanisms have been exhausted, individuals may invoke binding arbitration by the EU-US DPF Panel. In this regard, the DoC nominated the International Centre for Dispute Resolution to administer arbitrations, which will be governed by rules agreed between the DoC and the Commission, to supplement the EU-US DPF.
In order to offer effective remedies against non-compliance, the EU-US DPF Panel is equipped with the powers to impose individual-specific, non-monetary equitable relief. Notably, while the EU-US DPF Panel takes into account other remedies already obtained by other EU-US DPF mechanisms when making its determination, individuals may still resort to arbitration if they consider these other remedies to be insufficient.
Certification and enforcement
The responsibility of administering and monitoring compliance with the EU-US DPF will lie with the DoC. To this end, the EU-US DPF establishes oversights and enforcement mechanisms, which are set out in the Annexes to the draft adequacy decision, and include certification, re-certification, compliance monitoring, and redress.
On this point, David Dumont highlighted that "the mechanics of the EU-US Data Privacy Framework (e.g., a system of annual self-certification to a set of principles, administered by the DoC with oversight by the FTC and the Department of Transportation ('DoT')) and the commercial obligations are very similar to the Privacy Shield framework. Organisations that have maintained their Shield certification despite the Schrems II judgment, are, therefore, likely to be in a good position to rely on the new Framework to legitimise their EU-US data flows."
In order to certify, organisations must fulfil various obligations, including publicly declare their commitment to comply with the Principles, publish their privacy policies, and provide the DoC with information, such as the purposes of the data processing undertaken and the relevant independent recourse mechanism.
Once the DoC determines that an organisation's certification submission is complete and adds the same to the DPF list, the organisation concerned is allowed to receive personal data from the EU on the basis of the EU-US DPF, and to publicly declare the same. However, in order to continue receiving personal data, organisations must re-certify their participation to the EU-US DPF on an annual basis, a process expected to last up to 45 days. Should an organisation fail to re-certify or decide not to re-certify for any reason, it must remove all statements implying its participation in the EU-US DPF. False representations may be subjected to enforcement measures.
If there is convincing evidence that an organisation is failing to meet its obligations under the EU-US DPF, the DoC will compel the organisation to fill out and submit a comprehensive questionnaire. In case of failure to respond adequately and on time to the questionnaire, the organisation concerned will be reported to the appropriate authorities (the FTC or the DoT) for possible enforcement action. Further, should an organisation persistently fail to comply with the Principles, it will be removed from the DPF list and, notably, will be obliged to return or delete the personal data received under the EU-US DPF.
Moreover, the DoC will publish a list of certified organisations, which will be updated regularly based on the annual re-certifications. Additionally, it will maintain a public record of the organisations which have been removed from the list, including the reason for such removal. At the same time, the DoC will provide a link to the FTC's website, containing the enforcement actions taken by the latter under the EU-US DPF.
As noted by Odia Kagan above, enforcement powers in relation to the EU-US DPF are assigned to the FTC and the DoT. Specifically, the FTC has the authority to examine both compliance with the Principles and misleading claims of adherence to the same or participation to the EU-US DPF, whereas the DoT authority is limited to overseeing airlines' privacy practises, though it shares jurisdiction with the FTC over ticket agents' privacy practises in the sale of air transportation.
None of Your Business ('NOYB') and the Electronic Privacy Information Center ('EPIC') have already reacted to the decision, recalling some initial concerns with the Executive Order upon which the decision relies. David Dumont discussed that "it is very likely that the adequacy decision will be challenged by privacy activists sooner rather than later. The Commission is undoubtedly aware of this and seems confident that the decision will withstand the CJEU's test this time.
Although privacy activists will likely find grounds to challenge the adequacy decision, it is less likely that such challenge would be successful (although this cannot be ruled out).
If the new adequacy decision would, once again, be struck down by the CJEU, organisations may lose faith in the feasibility of a successful EU–US data transfer framework and turn to EU SCCs as their sole and permanent solution to legitimise data transfers to the US. The adequacy decision seems to strike a good balance between the importance of the partnership between the EU and the US while ensuring that the level of protection for EU individuals' data and privacy is not undermined. In the current economic and geopolitical context, a stable framework for transatlantic data flows is of key importance."
On this point, Mark Francis also commented that "I don't think there will be a material shift to reliance on the new framework until it survives the inevitable legal challenge, but in the interim many businesses may be more relaxed with respect to supplementary measures given the required changes to US government activities and the new redress mechanisms. If the decision is ultimately upheld by the CJEU we may see a large jump from SCCs to reliance on the framework, given that negotiating and executing SCCs can be a very real burden for businesses who routinely contract with providers, customers and other third parties in regard to activities that involve cross-border data transfers.
I do think the evolution of cross-border frameworks has led to additional privacy protections and commitments by US authorities, which in turn weakens the challenges presented by Max Schrems. In particular, the issues that Max Schrems has publicly identified with respect to this newest framework appear to be less compelling than in the past, so I am optimistic that the CJEU will uphold the validity of transfers under this new framework."
The Commission has sent the draft adequacy decision to the EDPB for its opinion. The Commission will then seek approval from a committee composed of representatives of the EU Member States. Importantly, the European Parliament will also have the right to review the adequacy decision. Once this procedure is completed, the Commission will be able to proceed with adopting the final adequacy decision. Notably however, the entry into force of the draft adequacy decision is conditional upon the adoption of the policies and procedures required to implement the Executive Order by all US intelligence agencies and the designation of the EU as a qualifying organisation for the purpose of redress mechanism.
David Dumont concluded that "the EDPB's Opinion will likely be of key importance for the rest of the legislative process. If this Opinion is positive, the adequacy decision is more likely to get approval from the committee of EU Member States' representatives and less likely to be scrutinised by the European Parliament."
Finally, Odia Kagan commented that "with an adequacy decision comes the recognition that the #NSAAtemycookies is not the end of the world, and with it, possibly the end of the need for extreme supplementary measures that 'lock out the National Security Agency at all costs'. However, does it mean the end for the Transfer Impact Assessments and supplementary measures? I would say, not necessarily. Just like you need to do a preliminary 'Privacy Impact Assessment' to determine whether or not you need a full blown 'Data Protection Impact Assessmetnt' – you still need to know your transfers, in depth, in order to comply with your Article 25 obligation as a data controller."
For further information on the EU-US DPF please see our previous Insight articles:
- International: Trans-Atlantic Data Privacy Framework – What you need to know
- International: Understanding data transfers under the new EU-US Data Privacy Framework
- International: Breakdown of US Executive Order implementing the EU-US DPF
- International: Overview of the DPRC Regulations
Comments submitted by:
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
David Dumont Partner
Hunton Andrews Kurth, Belgium
Mark Francis Partner
Holland & Knight LLP, New York
1. See: https://commission.europa.eu/system/files/2022-12/Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf 2. See: https://www.dataguidance.com/news/international-president-biden-signs-executive-order