On 13 December 2022 the European Union Commission (the Commission) announced a draft adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF). Having such a decision in place would facilitate the transfer of personal data from the EU/European Economic Area (EEA) to the United States (U.S.) without further safeguards, such as Standard Contractual Clauses and the ancillary complex Transfer Impact Assessments, being required.
The EU-U.S. Data Privacy Framework
The draft adequacy decision follows the signature of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities signed by U.S. President Joe Biden in October 2022 to implement the U.S. commitments under the EU-U.S. DPF. The Executive Order intends to limit the access of U.S. intelligence agencies and to introduce an independent redress mechanism.
This is the third attempt to foster transatlantic data transfers between the EU/EEA and the U.S., and it will no doubt face legal challenges again. The previous Privacy Shield was invalided by the European Court of Justice (CJEU) in its Schrems II decision, because U.S. national security agencies and intelligence services have a disproportionate access to European bulk data. Moreover, the CJEU pointed out that the U.S. jurisdiction does not provide for adequate access to judicial redress for affected data subjects in the EU and the EEA.
Our assessment of the adequacy decision
At first glance one could get the impression that the Executive Order addresses both the proportionality and the legal redress principle. However, on closer inspection it becomes clear that the Executive Order actually fails on both counts.
Although the U.S. Government agreed that the surveillance activities by its intelligence services should be limited to what is “necessary” and “proportionate” – two fundamental principles of EU law – there is little indication that U.S. mass surveillance will change in practice. This is due to the U.S. and EU legal systems and practices diverge significantly when assessing the legal meaning of “necessity” and “proportionality”. While the EU and U.S. administration agreed on the use of the words “necessary” and “proportionate” in the Executive Order, they failed to agree on the same legal meaning. Only if the terms have an actual European meaning would the U.S. fundamentally curtail its mass surveillance systems.
With respect to the principle of legal redress the judicial body to be established, the U.S. Data Protection Review Court, is equivalent to an Ombudsman, rather than an actual Court. It cannot provide for legal redress as required under the EU Charter.
As a next step the European Data Protection Board (EDPB) and a committee of EU Member States will review the draft decision. However, one shall bear in mind that their opinions are not binding on the EU Commission. Once the adequacy decision is published, European companies can rely on it when transferring data to the U.S.
We will analyse the draft adequacy decision in detail in the coming days. Nonetheless, it is likely beyond doubt that there will be a new case before the CJEU once this new adequacy decision is in place.