On December 13, 2022, the European Commission released its draft adequacy decision on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which, once formally adopted, would recognize that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF. The draft decision follows the issuance of Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”) by President Biden on October 7, 2022 (see our previous blog post here), and the political agreement reached between the EU and the U.S. in March 2022 (see our previous blog post here).
As many had expected, the draft adequacy decision assesses the limitations and safeguards relating to the collection and subsequent use of personal data transferred to controllers and processors in the United States by U.S. public authorities. In particular, the draft decision assesses whether the conditions under which the U.S. government may access data transferred to the United States fulfill the “essential equivalence” test pursuant to Article 45(1) of the GDPR, as interpreted by the Court of Justice of the European Union (“CJEU”) in Schrems II (see our previous blog post here).
As part of this assessment, the draft decision considers U.S. public authorities’ access to and use of personal data for criminal law enforcement and national security purposes, the latter of which was a key concern of the CJEU in Schrems II. The draft decision describes, among other matters, the safeguards established by EO 14086, and notes that EO 14086 is a “particularly important element” of the EU-U.S. DPF, supplementing the DPF’s Principles (the “Principles”) to achieve “essential equivalence”. On the basis of the safeguards set forth in EO 14086, together with additional limitations on government access and use of personal data in U.S. law, the draft adequacy decision concludes that “when U.S. law enforcement and national security authorities access personal data falling within the scope of this Decision, such access is governed by a legal framework that lays down the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the public interest objective pursued.” The draft decision further concludes that these safeguards may be “invoked by individuals who enjoy effective redress rights.”
As described in the draft adequacy decision, under the new EU-U.S. DPF, U.S. controllers and processors will be able to self-certify their adherence to a set of Principles, including Supplemental Principles, issued by the U.S. Department of Commerce. The Principles, which were included in the package of materials transmitted to the Commission by the U.S. Department of Commerce, and which are attached to the draft decision, state that in order to adhere to the EU-U.S. DPF, organizations must: (1) be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, the U.S. Department of Transportation, or another statutory body that will effectively ensure compliance with the Principles; (2) publicly declare their commitment to comply with the Principles; (3) publicly disclose that their privacy policies are “in line” with the Principles; and (4) fully implement them. The Principles define “personal information” as data about an identified or identifiable individual that is within the scope of the GDPR, received by an organization in the U.S. from the EU, and recorded in any form. Sensitive data encompasses the GDPR definition of special categories of data, as well as any personal data received by a third party, when the third party identifies and treats such data as sensitive.
Key obligations set forth in the Principles include:
- Notice: Organizations must inform individuals about, among other things, their adherence to the EU-U.S. DPF and its Principles; the types of personal data collected and the purposes for collecting and processing personal data; the types or identities of third parties to which they disclose personal data and the purposes of that disclosure; the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge; the requirement to disclose personal data in response to lawful requests by public authorities; and the organization’s liability in cases of onward transfers to third parties.
- Choice: Organizations must offer individuals the opportunity to opt out of (i) the disclosure of their personal data to a third party (excluding disclosures to organizations acting as processors), or (ii) the use of their personal data for a purpose that is materially different from the purpose(s) of original collection. Sensitive data may only be disclosed or used for a different purpose with the individual’s affirmative express consent.
- Accountability for onward transfers: Onward transfers, irrespective of whether they are directed within the U.S. or another third country, may only take place (i) for limited and specified purposes, (ii) on the basis of a contract with the third party, and (iii) only if the contract imposes on the third party the same level of protection as required by the Principles. Additional requirements apply for controller-to-processor scenarios.
- Security: Organizations must take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
- Data integrity and purpose limitation: Among other requirements, personal information must be limited to information that is relevant for the purposes of processing, and may not be processed in a manner that is incompatible with the purposes for which the information was collected or subsequently authorized by the individual.
- Access: Organizations must enable individuals to access, correct, amend or delete their personal data, subject to certain limited exceptions.
- Recourse, enforcement and liability: At a minimum, mechanisms for ensuring compliance with the Principles must include (i) readily available independent recourse mechanisms; (ii) follow-up procedures for verifying the truthfulness of organizations’ attestations and assertions; and (iii) obligations to remedy non-compliance with the Principles, accompanied by sufficiently rigorous sanctions.
Organizations will be able to receive personal data on the basis of the EU-U.S. DPF from the date they are placed on the DPF list by the U.S. Department of Commerce. As with the prior EU-U.S. Privacy Shield, organizations must annually re-certify their participation in the Framework and, if they leave the EU-U.S. DPF for any reason, remove all statements implying that the organization continues to participate in the EU-U.S. DPF.
The draft adequacy decision has been submitted to the European Data Protection Board (“EDPB”), after which the European Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over the process. The European Commission’s adoption of a final adequacy decision is expected in mid-2023. Once finalized, the adequacy decision’s application will be contingent upon the U.S. government’s implementation of EO 14086, including the establishment of a process for submitting qualifying complaints, updates to the U.S. Intelligence Community agencies’ policies and procedures in accordance with the Executive Order, and the designation of the EU as a qualifying state from which individuals may submit complaints for redress.
Covington regularly advises companies on all aspects of their international transfers. Our team is happy to assist with any inquiries relating to the proposed EU-U.S. Data Privacy Framework and other international transfers mechanisms.