On December 13, 2022, the European Commission (the “Commission”) released a draft adequacy decision for the EU-U.S. Data Privacy Framework (“Framework”). The draft decision proposes the Framework as a new transfer mechanism for EU-U.S. data flows under which U.S. law is “adequate.” It also concludes that U.S. intelligence laws and practices no longer stand in the way of this adequacy finding, as they did at the time of the Schrems II decision.
Overview of the Framework
The draft adequacy decision does not find that U.S. law on its own protects personal data to an “essentially equivalent” level as the laws of the EU. For that to happen, the U.S. would need a data protection law with principles akin to those of the General Data Protection Regulation (“GDPR”). Rather, the draft decision sets forth a Framework containing such principles, under which U.S. law meets the “essentially equivalent” standard.
Like the EU-U.S. Privacy Shield before it, the Framework is voluntary and requires participating companies to self-certify their compliance with a set of privacy obligations for handling European personal data. These include obligations related to transparency, data minimization and accuracy, purpose limitation (i.e., processing personal data for specified purposes and seeking consent for new processing purposes), special safeguards for data considered sensitive under the GDPR, individuals’ rights in relation to their data, and requirements for downstream data recipients.
Certification under the Framework would need to be renewed annually. The Framework would be administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission and the U.S. Department of Transportation (for airlines and other areas for which the DOT is the primary consumer protection regulator). The Framework also provides several redress methods in the event of noncompliance with the Framework. Companies certified under the Framework would not need to use other transfer mechanisms such as Standard Contractual Clauses (“SCCs”) to legalize data transfers to the U.S.
Resolution of Schrems Concerns
In finding that the U.S. would be adequate under the Framework, the Commission extensively reviewed U.S. laws and practices. It particularly focused on U.S. government access to personal data via signals intelligence activity under Executive Order 12333 (“EO 12333”) and “bulk” data collection under Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”). In its Schrems II decision, the European Union Court of Justice struck down the Privacy Shield because it held that there was no effective redress for EU individuals affected by surveillance under FISA 702 and EO 12333, undermining EU fundamental rights.
In the draft adequacy decision, the Commission concludes that FISA 702 and EO 12333 no longer prevent a finding of adequacy because of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities dated October 7, 2022 (“EO 14086”) and the accompanying Department of Justice regulations that establish a Data Protection Review Court (“DPRC Regulations”) to review claims related to U.S. signals intelligence activities. The Commission found that EO 14086 places appropriate limits on intelligence agencies and signals intelligence, such as limiting intelligence agencies’ access to data to what is “necessary and proportionate” to protect national security. The Commission also concluded that EO 14086 and the DPRC Regulations (which will fully take effect with respect to the EU only if and when the adequacy decision takes effect) provide “effective redress rights” to EU individuals who may be affected by U.S. intelligence activities. In other words, if the adequacy decision is adopted, FISA 702 and EO 12333 will no longer undermine EU fundamental rights as they were held to do in the Schrems II decision.
This conclusion is momentous. Since the Schrems II decision, the possibility of U.S. government access to personal data under FISA 702 and EO 12333 has hampered transatlantic data flows and required companies to prepare elaborate transfer impact assessments analyzing the risks to transferred EU data under these laws. If the adequacy decision is finalized, transfer impact assessments will be more streamlined for companies that continue to rely on the SCCs because FISA 702 and EO 12333 will not pose risks that require additional data protection safeguards. If the adequacy decision is not finalized – and thus, EU individuals cannot use the signals intelligence redress mechanism under EO 14086 and the DPRC Regulations – the Schrems II concerns about redress in relation to FISA 702 and EO 12333 will remain. However, transfer impact assessments can still consider the limitations on signals intelligence under EO 14086.
Before the draft adequacy decision is adopted, it must be reviewed by the European Data Protection Board, EU Member States, and the European Parliament. A final decision is not expected before spring 2023. Although a final decision may be subject to legal challenges (as Max Schrems was quick to note), there is good reason to hope that it will yield a durable data transfer solution.