On 13th December, the European Commission published a draft adequacy decision to enhance and replace its 2016 adequacy decision for the EU-U.S. Privacy Shield framework (“Privacy Shield”), which was invalidated by the Schrems II decision of the Court of Justice of the European Union (“CJEU”). The Commission has submitted the draft decision to the European Data Protection Board (“EDPB”) for its opinion, and currently expects a committee of EU Member State representatives to approve the draft before July 2023 (the third anniversary of the Schrems II ruling). In parallel, the European Parliament has a right of scrutiny and comment on the draft decision (but no ability to change or reject the decision itself).
Once these steps have been completed, the Commission can formally adopt the final adequacy decision.
The most important consequence of a new adequacy decision (once adopted) is the determination that for entities that certify to Privacy Shield’s successor, the EU-U.S. Data Privacy Framework (“DPF”) U.S. data protection laws guarantee a level of protection “essentially equivalent” to that ensured in the EU. U.S. entities processing personal data under the DPF will no longer need to sign Standard Contractual Clauses (SCCs) or conduct the case-by-case transfer impact assessments (“TIAs”) imposed for personal data transfers from the EU to the U.S. following the Schrems II ruling. For companies eligible for DPF certification, the adequacy determination will significantly ease their compliance burdens.
For companies without DPF certification, SCCs will likely remain the default transfer mechanism. While TIAs will still be required for these transfers, the recognition in the draft adequacy decision that the U.S. now has in place appropriate legal safeguards relating to government intelligence gathering activities should limit the need to review this element of the legal equivalency test as part of the TIA process.
EU Commissioners and U.S. officials are confident the new adequacy decision will address the concerns of the CJEU in the Schrems II That said, with privacy advocates already planning legal challenges and the decision nearly certain finding its way back to the CJEU for review, there is residual legal risk in relying on the DPF.
It is helpful to have clarity in the draft adequacy decision about how EU-U.S. personal data transfers will operate under the DPF. There is much anticipation that, once live, the decision will ease one of the more difficult administrative challenges in conducting a TIA when transferring personal data from
the EU to the U.S. Although the work involved with DPF certification and the potential for enforcement by the U.S. Federal Trade Commission must be considered, we can expect significant interest in certifying to the DPF from organisations wishing to benefit from the streamlined transfer model. While the longevity of the DPF is unknown (particularly given the long history of legal challenges to the prior EU-U.S. adequacy decisions), officials involved in the process are optimistic that this time any substantive concerns have been fully addressed.
If you have any questions about the content of this post, please contact your usual DLA Piper lawyer.