On December 13, 2022, the European Commission released its draft adequacy decision on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which, once formally adopted, would recognize that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF.  The draft decision follows the issuance of Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”) by President Biden on October 7, 2022 (see our previous blog post here), and the political agreement reached between the EU and the U.S. in March 2022 (see our previous blog post here).

As many had expected, the draft adequacy decision assesses the limitations and safeguards relating to the collection and subsequent use of personal data transferred to controllers and processors in the United States by U.S. public authorities.  In particular, the draft decision assesses whether the conditions under which the U.S. government may access data transferred to the United States fulfill the “essential equivalence” test pursuant to Article 45(1) of the GDPR, as interpreted by the Court of Justice of the European Union (“CJEU”) in Schrems II (see our previous blog post here). 

As part of this assessment, the draft decision considers U.S. public authorities’ access to and use of personal data for criminal law enforcement and national security purposes, the latter of which was a key concern of the CJEU in Schrems II.  The draft decision describes, among other matters, the safeguards established by EO 14086, and notes that EO 14086 is a “particularly important element” of the EU-U.S. DPF, supplementing the DPF’s Principles (the “Principles”) to achieve “essential equivalence”.  On the basis of the safeguards set forth in EO 14086, together with additional limitations on government access and use of personal data in U.S. law, the draft adequacy decision concludes that “when U.S. law enforcement and national security authorities access personal data falling within the scope of this Decision, such access is governed by a legal framework that lays down the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the public interest objective pursued.”  The draft decision further concludes that these safeguards may be “invoked by individuals who enjoy effective redress rights.”

As described in the draft adequacy decision, under the new EU-U.S. DPF, U.S. controllers and processors will be able to self-certify their adherence to a set of Principles, including Supplemental Principles, issued by the U.S. Department of Commerce.  The Principles, which were included in the package of materials transmitted to the Commission by the U.S. Department of Commerce, and which are attached to the draft decision, state that in order to adhere to the EU-U.S. DPF, organizations must: (1) be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, the U.S. Department of Transportation, or another statutory body that will effectively ensure compliance with the Principles; (2) publicly declare their commitment to comply with the Principles; (3) publicly disclose that their privacy policies are “in line” with the Principles; and (4) fully implement them.  The Principles define “personal information” as data about an identified or identifiable individual that is within the scope of the GDPR, received by an organization in the U.S. from the EU, and recorded in any form.  Sensitive data encompasses the GDPR definition of special categories of data, as well as any personal data received by a third party, when the third party identifies and treats such data as sensitive.

Key obligations set forth in the Principles include:

  • Notice: Organizations must inform individuals about, among other things, their adherence to the EU-U.S. DPF and its Principles; the types of personal data collected and the purposes for collecting and processing personal data; the types or identities of third parties to which they disclose personal data and the purposes of that disclosure; the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge; the requirement to disclose personal data in response to lawful requests by public authorities; and the organization’s liability in cases of onward transfers to third parties.
  • Choice: Organizations must offer individuals the opportunity to opt out of (i) the disclosure of their personal data to a third party (excluding disclosures to organizations acting as processors), or (ii) the use of their personal data for a purpose that is materially different from the purpose(s) of original collection.  Sensitive data may only be disclosed or used for a different purpose with the individual’s affirmative express consent.
  • Accountability for onward transfers: Onward transfers, irrespective of whether they are directed within the U.S. or another third country, may only take place (i) for limited and specified purposes, (ii) on the basis of a contract with the third party, and (iii) only if the contract imposes on the third party the same level of protection as required by the Principles.  Additional requirements apply for controller-to-processor scenarios.
  • Security: Organizations must take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
  • Data integrity and purpose limitation: Among other requirements, personal information must be limited to information that is relevant for the purposes of processing, and may not be processed in a manner that is incompatible with the purposes for which the information was collected or subsequently authorized by the individual.
  • Access: Organizations must enable individuals to access, correct, amend or delete their personal data, subject to certain limited exceptions.
  • Recourse, enforcement and liability: At a minimum, mechanisms for ensuring compliance with the Principles must include (i) readily available independent recourse mechanisms; (ii) follow-up procedures for verifying the truthfulness of organizations’ attestations and assertions; and (iii) obligations to remedy non-compliance with the Principles, accompanied by sufficiently rigorous sanctions. 

Organizations will be able to receive personal data on the basis of the EU-U.S. DPF from the date they are placed on the DPF list by the U.S. Department of Commerce.  As with the prior EU-U.S. Privacy Shield, organizations must annually re-certify their participation in the Framework and, if they leave the EU-U.S. DPF for any reason, remove all statements implying that the organization continues to participate in the EU-U.S. DPF.

Next steps

The draft adequacy decision has been submitted to the European Data Protection Board (“EDPB”), after which the European Commission will seek approval from a committee composed of representatives of the EU Member States.  In addition, the European Parliament has a right of scrutiny over the process. The European Commission’s adoption of a final adequacy decision is expected in mid-2023.  Once finalized, the adequacy decision’s application will be contingent upon the U.S. government’s implementation of EO 14086, including the establishment of a process for submitting qualifying complaints, updates to the U.S. Intelligence Community agencies’ policies and procedures in accordance with the Executive Order, and the designation of the EU as a qualifying state from which individuals may submit complaints for redress.  

***

Covington regularly advises companies on all aspects of their international transfers.  Our team is happy to assist with any inquiries relating to the proposed EU-U.S. Data Privacy Framework and other international transfers mechanisms.  

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Diana Lee Diana Lee

Diana Lee is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory and enforcement matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy…

Diana Lee is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory and enforcement matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy and cybersecurity. She also routinely advises clients on content moderation and consumer protection issues. Before rejoining the firm, she clerked for Judge Victor A. Bolden, United States District Judge for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.