A MoFo Privacy Minute Q&A: EU-U.S. Data Privacy Framework

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: After the European Commission (EC) adopts its adequacy decision on the EU-U.S. Data Privacy Framework (DPF), will companies still be required to perform a Transfer Impact Assessment (TIA) when transferring personal data to the U.S. on the basis of SCCs and BCRs?

Answer: Yes, but in a much more simplified manner. And, in fact, companies do not have to wait for the adequacy decision to benefit from the DPF.

The European Court of Justice (ECJ) in its “Schrems II” decision identified a number of key issues as problematic with respect to personal data transfers from the EU to the U.S. Specifically, the court found that Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333 did not limit data collection to what was necessary and proportionate, and that the U.S. legal system did not provide adequate judicial redress for EU individuals whose personal data was received in the U.S. Because of these issues, the ECJ invalidated the Privacy Shield framework that was in place at the time.

The Biden administration in October 2022 issued an Executive Order and regulations embodying the commitments from the U.S. to support the DPF, which included creation of a new independent redress system for EU individuals relating to personal data transferred from the EU and limitations on collection of personal data by U.S. intelligence authorities to what is necessary and proportionate to protect national security. These changes either were operative when the Executive Order was adopted or will go into effect in the near future, and the U.S. has confirmed that they apply to any and all personal data transferred from the EU, regardless of the transfer mechanism used under GDPR. As a result, these U.S. commitments also apply to transfers made under Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) and even before any final adequacy decision from the European Commission. In fact, the European Commission in its Q&A, published shortly after announcement of the U.S. commitments, indicated that the DPF addresses the concerns raised by the ECJ in its Schrems II decision and will provide for a “durable and reliable legal basis” for data transfers to the U.S.

The draft adequacy decision published by the EC on December 13, 2022 paves the way for the DPF to also operate as a transfer mechanism in and of itself. As was the case with the Privacy Shield, companies in the U.S. that receive personal data from the EU are able to certify compliance with the DPF. Once the DPF as a framework is found to be adequate by the EC, data exporters in the EU can use the U.S. data importer’s DPF certification as an additional transfer mechanism.

However, the draft adequacy decision published by the EC will still have to go through the EU rulemaking process before being adopted. In order to come to a final decision, the EC will need to obtain a (nonbinding) opinion from the European Data Protection Board (EDPB). Following the EDPB’s opinion, the draft decision will be reviewed by the European Council, which will need to formally approve it. The European Parliament will also have an opportunity to review and provide comments. Only after all these steps have been completed can the EC adopt the adequacy decision. The whole process from here on can take approximately six months, with a final decision anticipated around the middle of 2023.

However, the draft adequacy decision already facilitates data transfers. With the draft decision, the EC indicated that the commitments made by the U.S. address the issues identified by the ECJ in the Schrems II ruling. As a result, and because the commitments from the U.S. explicitly apply to any personal data transferred from the EU, companies transferring on the basis of SCCs and BCRs will be able to leverage the draft adequacy decision to simplify their TIAs. Following the Schrems II decision, European data protection authorities required companies to carry out TIAs for any transfers outside of the EU, including the U.S. Companies had to identify any impact of foreign laws on personal data transferred and determine whether any supplementary measures were required to ensure adequate protections for such data. However, with the U.S. commitments and the draft adequacy decision from the EC, companies will simply be able to reference these in their TIAs, without the need to assess further supplementary measures.

Max Schrems has already indicated that he intends to challenge an adequacy decision of the DPF in national and EU courts. However, he will only be able to do so once the decision is finalized, and it will take years before the ECJ will again have an opportunity to review and rule on such a challenge. Until then, both the DPF and the U.S. commitments will remain in effect and companies can rely on those for data transfers to the U.S.