Like an early Christmas present, the much anticipated EU-US Data Privacy Framework draft adequacy decision was published on 13 December 2022. The draft decision follows on from US President Biden’s Executive Order of 7 October 2022 (for more see our article here), which purports to address the key concerns in the Schrems II litigation, i.e. the lack of limits on governmental surveillance activities and a lack of redress for EU citizens. The draft decision kick starts the EU Commission’s adequacy process to recognise the Trans-Atlantic Data Privacy Framework (DPF) as “essentially equivalent” to the protections provided under the GDPR and will allow the re-birth of Privacy Shield (now to be known, with some tweaks, as the DPF) as a transfer mechanism for EU-US data transfers.

To be clear this is not a wide ranging adequacy decision in the same way as the EU-UK or EU-Japan or indeed the UK’s similar decisions in that even if and when (and we hope “when”) the European Commission adopts the final adequacy decision, data can only flow freely and “safely” between the EU and US companies (self) certified by the Department of Commerce under the new EU-US Data Privacy Framework. So this decision would be, as the original Safe Harbour and Privacy Shield I decisions were too, a partial and conditional adequacy decision.

Note there is material detail in the draft decision about how the Department of Commerce will certify, re-certify, and monitor compliance. Do also note that this will not be accessible, as with Privacy Shield before it, to all companies – only those that are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and Department of Transportation can certify under DPF. This does not include some financial services companies for instance, who were never able to certify under Privacy Shield, and may not also be able to certify under DPF.

In terms of the banal, detail is yet to emerge, but we imagine all the mechanics built into the Department of Commerce’s website https://www.privacyshield.gov/welcome will be retooled and tweaked as necessary under the banner of the EU-US DPF.

Further work to be done

Not to dampen the ‘festivities’ surrounding this announcement, but we know from the UK’s recent experience there are many hurdles yet to overcome – the EDPB’s Opinion, which the EU Commission will take into account, and then a committee of representatives from the EU Member States will be asked to give the adequacy decision the green light (although as an adequacy decision is an implementing act, the EU Parliament has limited power to revise or block such an act, and in reality they can only object if they believe the EU Commission has overstepped its implementing powers). Both the EU and the US have invested time and effort to get to this stage so while the rhetoric dials up a notch, expect to see lots of political manoeuvring to get this decision across the line.

Much has also been made of the possible inclusion of a clause in any final decision that would stipulate the legal protections set out in the Executive Order must be maintained (similar to the approach the EU Commission took with the UK to ensure UK GDPR remained essentially equivalent to the GDPR) as a way to ensure the protections would be maintained should any future president move to overturn the Executive Order. This is clearly an attempt to pacify the privacy activists but they seem to have bigger issues with the adequacy process, namely that in their view unfettered bulk surveillance will continue, that the newly established Data Protection Review Court under the Executive Order is not an actual court and that there is a fundamental disconnect when it comes to the meaning of the word “proportionate” which is used in conjunction with surveillance activity.

What happens next?

Again drawing on the UK’s experience, we know there is still some process to go which may take a number of months, but allowing for world events this year, maybe it’s not a total surprise that the warmer summer days will be with us before we see any final decision. Justice Commissioner Didier Reynders has been reported as saying we may have an adequacy decision by “July 2023” – a mere 3 years after the Schrems II decision, but emphasis is being placed on the fact both the EU and US have taken time with the negotiations to address the CJEU’s concerns in order that this new Trans-Atlantic Data Privacy Framework will withstand any potential Schrems III type challenge.

That said a challenge looks highly likely. Max Schrems said “We will analyze the draft decision in detail [in] the next days. As the draft decision is based on the known Executive Order, I can't see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again - in flagrant breach of our fundamental rights." He also stated it would be open to data subjects to challenge this new framework in national and European courts should the EU conclude an adequacy decision in favour of the US.

What should I do now?

Luckily, other than watching this space, you should continue to do all the things we recommended in our article about the Executive Order found here. And perhaps keep your fingers crossed!

Conclusion

As 2022 draws to a close, it looks like 2023 is shaping up to be every bit as eventful in the data privacy world! We will be following developments closely and posting updates on our blog and discussing them at our In-House Data Club. You can sign up to our blog here or to receive invitations to our In-House Data Club events you can do so by contacting our wonderful events team (events@lewissilkin.com). For UK organisations we will also be tracking developments for data transfers ex-UK to US as negotiations continue and plans progress in line with the UK-US Joint Statement: New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy.