On Tuesday, December 13, 2022, the European Commission (“EC”) published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”). After reviewing relevant U.S. law and practice as well as materials submitted by the U.S. Department of Commerce (“DOC”), the EC preliminarily determined that the U.S. ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the European Union (“EU”) to certified organizations in the U.S.
Octillo continues to keep a close eye on developments pertaining to the EU-U.S. Data Privacy Framework. Check out our previous deep dive into President Biden’s Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities.
In today’s blog post, we delve into the EC’s draft adequacy decision and cover what certification under the EU-U.S. Data Privacy Framework would look like for organizations.
The EC’s Conclusions
In July 2020, the Court of Justice of the European Union (“CJEU”) rendered the predecessor EU-U.S. Privacy Shield invalid because of what it perceived were limitations on the protection of personal data arising from U.S. domestic law on access and use of such personal data by U.S. intelligence authorities.
In response, the EC, in this draft adequacy decision, “considers that the United States – through the Principles issued by the U.S. DOC – ensures a level of protection for personal data transferred from the Union to certified organizations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.” The Principles issued by the U.S. DOC are the obligations and requirements that organizations must adhere to in order to self-certify under the EU-U.S. DPF.
Furthermore, the EC “considers that any interference in the public interest, in particular for criminal law enforcement and national security purposes, by U.S. public authorities with the fundamental rights of the individuals whose personal data are transferred from the Union to the United States under the EU-U.S. Data Privacy Framework, will be limited to what is strictly necessary to achieve the legitimate objective in question and that effective legal protection against such interference exists.”
It is important to point out that the adoption of this draft adequacy decision is “conditional upon the adoption of updated policies and procedures to implement [the Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities] by all U.S. intelligence agencies and the designation of the Union as a qualifying organization for the purpose of the redress mechanism.”
EU-U.S. Data Privacy Framework Certification: The Principles and Supplemental Principles
In order to rely on the EU-U.S. Data Privacy Framework to transfer personal data from the EU to the U.S., an organization must self-certify its adherence to the Principles to the DOC. While decisions by organizations to enter into the EU-U.S. DPF are entirely voluntary, subsequent compliance is compulsory. In other words, organizations that self-certify to the DOC and publicly declare their commitment to adhere to the Principles must comply fully with the Principles.
In order to enter the EU-U.S. DPF, an organization must:
- Be subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”), the U.S. Department of Transportation (“DOT”) or another statutory body that will effectively ensure compliance with the Principles;
- Publicly declare its commitment to comply with the Principles;
- Publicly disclose its privacy policies in line with these Principles; and
- Fully implement the Principles.
The DOC will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the DOC and declared their commitment to adhere to the Principles.
Once entered into, organizations are obligated to apply the Principles to all personal data transferred in reliance on the EU-U.S. DPF. An organization that chooses to extend EU-U.S. DPF benefits to human resources personal information transferred from the EU for use in the context of an employment relationship must indicate this when it self-certifies to the DOC and conform to the requirements set forth in the Supplemental Principles.
The Principles provide for a number of requirements pertaining to notices and disclosures, choice and consent, onward transfers, security measures, data integrity and purpose limitation, access rights, and recourse and enforcement mechanisms. Organizations subject to any one of the state privacy laws may find many of the Principles to be familiar – such as the requirement to disclose the types of personal data collected and the purposes for which they are collected. For the full list of Principles, please see Annex I to the EC’s draft adequacy decision.
The Supplemental Principles
The Supplemental Principles expand on the requirements contained in the Principles. For example, the Supplemental Principles provide further details about handling sensitive data and human resources data, conducting audits, and undergoing the self-certification process. For the full list of Supplemental Principles, please see Annex I to the EC’s draft adequacy decision.
Responses to the Draft Adequacy Decision
In our previous deep dive, we noted that Maximilian Schrems expressed skepticism toward President Biden’s Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities. His advocacy organization, none of your business (“NOYB”), issued a statement, remarking that there is no indication that U.S. mass surveillance will change in practice and that the proposed Data Protection Review Court (“DPRC”) will not be a “real” court with true judicial redress.
In response to the EC’s draft adequacy decision, NOYB issued another statement along similar lines:
“We will analyze the draft decision in detail the next days. As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights.”
U.S. Secretary of Commerce Gina Raimondo welcomed the announcement of the EC’s draft adequacy decision and is “confident that these measures will restore stability to the data flows that thousands of U.S. and EU firms depend on – the lifeblood of the $7.1 trillion transatlantic economy.”
Key Takeaways for Businesses
As noted by the EC in its press release, the draft adequacy decision will now go through its adoption procedure. As a first step, the EC submitted its draft adequacy decision to the European Data Protection Board. Next, the EC will seek approval from a committee composed of representatives of the EU Member States. The European Parliament also has a right of scrutiny over the draft adequacy decision.
Given all of the above, final adoption of the adequacy decision is likely still months away. However, businesses interested in certification under the EU-U.S. Data Privacy Framework should begin familiarizing themselves with the various requirements provided for by the DOC’s set of Principles and Supplemental Principles.
Octillo will continue to monitor and provide further guidance as new developments come up. If you have any questions regarding this development, please contact a member of our team.
*Attorney advertising: Prior results do not guarantee a similar outcome.