Find out today what the legal world will be talking about tomorrow.
Good News at the End of the Year? New Draft for an "EU-US Data Privacy Framework"
There is hardly any topic, that heats up (data protection) minds as much as international data transfer. This applies even more, if companies in the US are involved. Whether it is about tools for a company's own website, the use of cloud solutions, or the "simple" transfer of data within an internationally operating group. Sooner or later, one question will always come up: Is this compliant under data protection law?
After the European Court of Justice declared the so-called "EU-US Privacy Shield" invalid in its infamous "Schrems II" decision of July 16, 2020, companies (once again) had to resort to alternative mechanisms for legitimization under data protection law. In addition to standard contractual clauses, this may include so-called "Binding Corporate Rules" or - at least in exceptional cases - the data subjects' consent under data protection law. What all cases have in common, however, is that certain data protection risks may remain, which are difficult to fully eliminate. In addition to the sometimes incomprehensibly restrictive interpretation of data protection requirements by the supervisory authorities, it is also necessary to keep an eye on real alternatives to the "big providers". Consequently, companies are sometimes faced with enormous challenges if they want to comply with data protection on the one hand and not disproportionately burden their daily workflow on the other.
However, the aforementioned problems may lead to a "happy ending" in the future - at least in the medium-term - as the European Commission has now published a first draft for a new adequacy decision on December 13, 2022.
But is this even so correct in this sweeping manner? An overview of the new regulations:
The chronology to the new draft
As early as March 25, 2022, the European Commission and the United States published a joint declaration for a "Transatlantic Data Protection Framework". It was explicitly stated that the concerns mentioned in the "Schrems II" decision should be eliminated in the future and that the US would make a "voluntary commitment" to take appropriate measures. On October 7, 2022, President Joe Biden then signed an Executive Order "Enhancing Safeguards for United States Signals Intelligence Activities" (EO 10486) - which has already been widely criticized - and which was supposed to be the first step towards ensuring an adequate level of data protection (cf., the comments of the European Commission). We have already reported on this in our article of October 25, 2022.
Since December 13, 2022, the first draft for an "EU-US Data Privacy Framework" has been available, which is intended to legitimize the so-called third country transfer to the USA in the future.
What specific regulations are envisaged?
First of all, the emerging sense of euphoria must be at least somewhat tempered. Even if the European Commission's draft does indeed mature into a final adequacy decision, this does not mean that any data transfer to the USA can be based on it. As with its predecessor (the "EU-US Privacy Shield"), the draft provides for a certification mechanism for US businesses. This means that a data transfer will only lead to an adequate level of data protection for those companies that submit to the specific regulations of the adequacy decision. Certification by US companies requires that they be subject to investigative and enforcement powers of either the Federal Trade Commission (FTC) or the US Department of Transportation.
The draft essentially differentiates the "EU-US Data Privacy Framework Principles" and the "Supplemental Principles" (as Annex 1), developed by the US Department of Commerce. The latter is also responsible for the administration and monitoring of the respective regulations of the envisaged adequacy decision, which must be observed by the certified US companies in the future. This includes, in particular, that personal data must be deleted if it is no longer needed. Likewise, personal data must continue to be protected (contractually) even if it is passed on (so-called "onward transfer"). Data subjects should also have various legal protection options at their disposal (including free dispute resolution procedures and an arbitration board) in the event of a breach of the Principles.
The European Commission has also set out the most important additional principles of the draft in a short fact sheet ("Key principles"):
- The adequacy decision is intended to enable the free and secure flow of personal data between the EU and certified U.S. companies.
- A new set of rules and binding safeguards are to be provided to limit access to personal data by U.S. authorities - for law enforcement and national security purposes - to what is necessary and proportionate.
- A new two-tier complaint and redress system is to be provided, which also includes the provision of an independent court ("Data Protection Review Court") for data subjects.
Where do we go from here?
The European Commission's draft has already been submitted to the European Data Protection Board for its review and opinion. If this committee, another committee made up of representatives of the EU member states and the European Parliament give their “green light”, there will ultimately be nothing standing in the way of the resolution being adopted.
It is not yet possible to make a final assessment of when the resolution will actually come into force. However, we expect it to be adopted in the first quarter of 2023.
Our initial assessment
Although various concerns about the planned measures were already raised after EO 10486 was issued by President Joe Biden - and now also with regard to the European Commission's new draft - we very much welcome the steps taken by the European Commission towards legally secure data transfers to the US.
It may be debatable in detail how far the envisaged "principles" are mature and whether they are ultimately to be regarded as "sufficient". It is also debatable whether the U.S. understanding of proportionate access to personal data by US authorities meets European standards. However, if we consider the current legal uncertainty surrounding the transfer of personal data to the US and the practical need for corresponding regulations, our conclusion can only be: Bring on the adequacy decision! Although individual regulations - as already mentioned - can be criticized, the European Commission's draft represents a significant step towards legal certainty for a large number of European and US companies.
As soon as the new year 2023 has begun and the political engines of the European Union also start running again, it should first be waited when and in what form the adequacy decision will ultimately be adopted.
Until then, the unfortunately still unpleasant news: companies must continue to observe the deadline for converting existing contracts to the new EU standard contractual clauses, which expires on December 27, 2022. This can lead to a considerable amount of work, both when using individual service providers and in comprehensive Group Data Transfer Agreements. The "old familiar" transfer instruments, such as standard contractual clauses, are therefore far from passé. However, it is to be welcomed that some of the regulations set out in the new draft (particularly in connection with access rights of the US authorities) also "reach through" to other transfer instruments. Insofar as one follows a - in our view preferable - risk-based approach, this would also have to be taken into account in the implementation of standard contractual clauses and the transfer impact assessment to be carried out in the process.
Likewise, in view of the provision of Article 5 (2) of the GDPR, it should also be examined in the future whether additional measures, such as the implementation of a transfer impact assessment, appear to make sense despite the existence of an adequacy decision. Ultimately, each controller must be able to prove in each individual case that the requirements of the GDPR are actually respected.
We would be happy to support you "on the last few meters" before - we very much hope - a legally secure framework for data transfers to the US is created, at least in the medium-term.