Since the invalidation of the Privacy Shield framework in 2020 in the “Schrems II” case, the EU and the U.S. have been working to set up a new framework for data flows from the EU to the U.S. A draft of a new “Data Privacy Framework” (DPF), which is designed to serve as the basis for a formal adequacy decision by the European Commission (EC), was published by the EC at the end of 2022, and is expected to be formally adopted towards the summer of 2023.
A key step in the adoption process is a review by the European Data Protection Board (EDPB), which brings together the data protection supervisory authorities of all EU countries. On February 28, 2023, the EDPB adopted its opinion on the DPF (Opinion). The EDPB welcomed certain improvements under the DPF (compared to the Privacy Shield), but also flagged certain concerns. This alert discusses the EDPB’s concerns and sets out what companies can expect as next steps in the DPF adoption process.
The General Data Protection Regulation (GDPR) requires companies to ensure personal data is adequately protected when transferred outside the EU. There are various ways for companies to ensure adequate protection, for instance, through the usage of Standard Contractual Clauses or Binding Corporate Rules. The EC can also determine that the legal framework of a non-EU country provides an adequate level of protection. Companies can then freely transfer personal data from the EU to that third country based on such “adequacy decision.”
The EU and the U.S. have, in the past, set up self-certification frameworks that were recognized as adequate, i.e., the “Privacy Shield,” which the Court of Justice of the EU (CJEU) invalidated in 2020 in the “Schrems II” case, and its predecessor “Safe Harbor,” which the CJEU had also invalidated in 2015. Those frameworks enabled companies to process EU personal data in the U.S., if they certified adherence to a set of privacy principles. The draft DPF provides for a similar self-certification scheme.
The Opinion does not legally bind the EC, but it can have significant importance in the political debate surrounding the DPF and in any future challenges to it in court. The Opinion urges the EC to remediate the following key issues before issuing an adequacy decision covering the DPF:
- Executive Order should be fully implemented. On October 7, 2022, President Biden signed an Executive Order to legally implement certain elements of the DPF that aim to strengthen the protection for EU personal data in the U.S. In particular, U.S. intelligence agencies will only be permitted to access EU data to the extent such access is necessary and proportionate to protect national security. Additionally, a newly created Data Protection Review Court (DPRC) will independently investigate complaints from EU citizens, and thereby offer EU citizens an avenue for redress regarding the collection and use of their data by U.S. intelligence agencies.
These elements are critical to satisfy the concerns of the CJEU in Schrems II. However, in the Opinion, the EDPB states that the Executive Order is not yet fully reflected in the procedures of U.S. law enforcement and intelligence agencies. The EDPB therefore recommends that the EC’s adoption of an adequacy decision be made conditional upon the relevant U.S. agencies implementing the Executive Order.
- DPF Principles should be strengthened. As with the Privacy Shield, companies that self-certify to the DPF will publicly declare their commitment to principles and requirements set out in the DPF. Those principles are similar, but not the same, as the requirements of the GDPR. There are seven core principles (and 16 “supplemental principles”), which remain largely unchanged from those of the Privacy Shield. They include commitments such as keeping data accurate and up to date, ensuring transparency about use of personal data, and enabling individuals to exercise their rights such as a right to access and rectification. Since the principles remain largely the same, the EDPB flags, that certain concerns previously raised under the Privacy Shield also apply to the DPF.
In particular, the EDPB considers that the current wording of the DPF risks leading to a narrow interpretation of individuals’ right of access. The EDPB also considers that specific rules concerning automated decision making are needed. Further, the EDPB calls on the EC to clarify certain exemptions that are built into the DPF, such as the possibility for companies to limit their adherence to the DPF principles to the extent necessary to comply with a court order or to meet public interest, law enforcement, or national security requirements. Finally, the EDPB invites the EC to specify, as part of the “onward transfer” principle, that a recipient of data originally transferred to the U.S. under the DPF and then sent to another country should be subject to safeguards that are effective in light of the legislation of such other country.
- More safeguards for bulk data collection. The EDPB identifies a number of points in the Executive Order that require clarification or that raise concern. In particular, the EDPB is concerned that the Executive Order does not provide for a mechanism of independent prior authorization for bulk data collection. It also does not provide for a systematic independent review ex post by a court or an equivalently independent body.
- EC should monitor functioning of redress mechanism. The EDPB recognizes significant improvements in the enhanced independence and powers of the DPRC, compared to the Ombudsperson mechanism of the Privacy Shield. This was a specific concern of the CJEU in Schrems II. However, the EDPB questions whether the DPRC’s responses to complainants, which will take the form of high-level standard replies, will be sufficient to ensure effective judicial protection for complainants. The EDPB calls on the EC to closely monitor the practical functioning of this redress mechanism.
Although the Opinion does not legally bind the EC, it carries significant political weight. In addition, the EC is under pressure from the European Parliament, which recently urged the EC not to grant the DPF adequacy status. On February 20, 2023, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) issued a draft motion which urged the EC to resume negotiations with its U.S. counterparts and develop a stronger framework. The LIBE Committee mentioned several points in the Executive Order that it considered to be unclear or unpredictable in their application. For example, the LIBE Committee is concerned that the Executive Order could be amended at any time by the then-current U.S. president, and that it does not apply to data accessed by public authorities by means other than direct transfer, such as through the U.S. Cloud Act. Moreover, the LIBE Committee regarded the redress mechanism for commercial matters (for which companies can rely on alternative dispute resolution) as insufficient. To further add to the uncertainty, privacy activist Max Schrems has already indicated that he plans to challenge an adequacy decision for the DPF in court, so it can be expected that any EC decision approving the DPF will ultimately be subject to a challenge before the CJEU, a process that could take several years.
It remains to be seen to what extent the EC will act on the EDPB’s and LIBE Committee’s criticisms, and whether the EC will still move forward with adopting its adequacy decision for the DPF. In the meantime, companies may start to assess if certifying with the DPF is the right option for them. For instance, a clear benefit of the DPF is that certified companies will be able to freely transfer EU personal data to the U.S., without needing to implement a data transfer mechanism (such as Standard Contractual Clauses) with their business partners in the EU.
Also, for companies that were (or still are) Privacy Shield certified, the DPF will feel very familiar. They will likely be able to rely, to a large extent, on their existing documentation and processes to comply with the DPF principles. Most of the changes brought by the DPF relate to the use of EU personal data by U.S. intelligence agencies. For businesses, the changes are rather limited. In particular, the set of privacy principles that companies need to adhere to remains largely unchanged. As with the Privacy Shield, companies that wish to self-certify must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the U.S. Department of Transportation and register with an independent dispute resolution body. If the EC adopts an adequacy decision covering the DPF, then companies will need to submit their certification to the U.S. Department of Commerce, and then recertify on an annual basis.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Laura De Boel, Maneesha Mithal, Christopher Kuner, Nikolaos Theodorakis, or another member of the firm’s privacy and cybersecurity practice.
Mina Gholiof and Hattie Watson assisted with the preparation of this Wilson Sonsini post.