5 Years of GDPR | Is the US Adequacy Decision Adequate?
Transfers of personal data to the US have been problematic for several years. Expectations are high that the EU Commission will solve the problem shortly by issuing an adequacy decision for the new EU-US Data Privacy Framework (DPF) during spring 2023. However, there are also concerns that the solution will only be temporary and that we can expect a ‘Schrems III case’ as a direct consequence of the decision. This would instantly imply new uncertainty.
Considering the current situation, will we be able to trust the adequacy decision while promoting sustainable privacy?
The draft adequacy decision
In December 2022 the EU Commission issued its draft adequacy decision and launched the process towards the adoption of an adequacy decision for the EU-US Data Privacy Framework (DPF), which is intended to foster safe trans-Atlantic data flows and address the concerns raised by the EU Court of Justice in its Schrems II decision of July 2020. In the draft decision, the Commission concludes that the updated US legal framework provides comparable safeguards to those of the EU.
Substantial improvements of the US legal framework
The draft decision follows the signature of a US Executive Order (EO) by President Biden on October 7th 2022 and regulations issued by the US Attorney General. These two instruments implement substantial improvements to the US legal system. A number of limitations and safeguards regarding the access to data by US public authorities have been implemented. Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security. Further, EU individuals will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. US companies will be able to join the DPF by committing to comply with a detailed set of privacy obligations, for example, to delete personal data and to ensure continuity of protection when personal data is shared with third parties.
EDPB’s views on the draft adequacy decision
The European Data Protection Board (EDPB) has welcomed the substantial improvements in the US legal framework, however it has also expressed some concerns and requested some clarifications. In particular, the concerns relate to:
- certain rights of the data subject,
- onward transfers,
- the scope of the exemptions,
- temporary bulk collection of data, and
- the practical functioning of the redress mechanism.
The EDPB recommends that the concerns are addressed, and the questions clarified, to ensure that the adequacy decision will endure. As not all changes to the US legal framework have been implemented yet, the EDPB would like not only the entry into force but also the adoption of the decision to be conditional upon the full implementation of the updated framework. Further, the EDPB suggests the adequacy decision should be reviewed at least every three years.
Schrems/NOYB’s views
The comment from Max Schrems’ organisation NOYB – European Center for Digital Rights – has been that the updated US law fails both in terms of proportionality. when it comes to surveillance, and regarding access to judicial redress. NOYB claims that the changes in US law seems minimal and that the EO oversells and underperforms when it comes to protection of non-US persons. According to NOYB, an adequacy decision based on the EO will likely not satisfy the EU Court of Justice, meaning that yet another deal between the US Government and the EU Commission may fail.
Conclusions and Recommendations
It is expected that the EU Commission will adopt the adequacy decision – the question is when, and how soon it can be used as a valid transfer tool. As the EDPB has advised the adoption of the decision, or at least the entry into force of it, should be conditional upon the full implementation of the updated framework, it is possible that there will be additional time before it can be effective. It is also very likely that the decision will be challenged, and we should certainly prepare for a “Schrems III[1]” case. This means that transfers of personal data to the US will be connected with uncertainty for some time still.
So, how should companies act in the current situation? Well, not much has changed during the last months, so most companies have most likely already performed their mapping activities of third country transfers and documented their Transfer Impact Assessment, albeit with some outstanding risk related to US transfers. At some point, the adequacy decision will constitute a valid tool for data transfers to the US, however it is unclear when this will happen and how long it will last.
Due to the uncertainty, it would be recommended to still be cautious in relation to planning for long-term set-ups involving the US, and also in relation to transfers of sensitive data to the US. Even if there have been substantial improvements in the US regulatory framework, parts of the implementation are still pending and there are still concerns, which in practice exclude US data flows, or even US involvement, from being part of a sustainable privacy set-up. The current uncertainty will only be eliminated if and when the EU Court of Justice confirms the adequacy decision of the DPF in a future Schrems III case, which we all see coming. It is now up to the EU Commission to do what they can to address the concerns and clarify the questions raised by the EDPB, to substantiate a sustainable adequacy decision. The rest of us can only wait and see.
5 Years of GDPR
May 25th, 2023, marks the five-year anniversary of the enforcement of GDPR. This spring we reflect and review on the first comprehensive privacy regulation in a series of publications and events. Stay tuned for insights and perspectives on expectations vs. realties of a sustainable privacy arena, the legal ecosystem of GDPR, the future role of tech and much more.