Light at the end of the tunnel for data transfers to the US – the European Commission is preparing an adequacy decision for a new Trans-Atlantic Data Privacy Framework
Background: CJEU “Schrems II” decision, EDPB recommendations and coordinated audit by German supervisory authorities
In its “Schrems II” decision of 16 July 2020, the European Court of Justice (CJEU) invalidated the European Commission's adequacy decision on the EU-US Privacy Shield without providing for a transition period, and thus dealing a harsh blow to transatlantic data transfer.
Thereafter, on 11 November 2020, the European Data Protection Board (EDPB) published detailed recommendations on measures that supplement remaining transfer tools for international data transfers and, following public consultation, adopted the final version of its recommendations on 18 June 2021.
Several German supervisory authorities have declared that they intend to “broadly enforce” the requirements set forth by the CJEU in “Schrems II” and have announced an audit of international data transfers by companies as part of a coordinated audit.
On the one hand, there is still scope for data transfers to the US on the basis of transfer tools and statutory exceptions for certain individual cases that have not been objected to by the CJEU, for example on the basis of new standard contractual clauses for international data transfers adopted by the European Commission on 4 June 2021. However, on the other hand, the “Transfer Impact Assessments” (“TIA”) recommended by the EDPB, which are also required in the new standard contractual clauses, as well as any supplementary measures that result therefrom, present companies with enormous challenges in practice.
New “Trans-Atlantic Data Privacy Framework” and US Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”
On 25 March 2022, the European Commission and the US published a joint statement on a new “Trans-Atlantic Data Privacy Framework”. The successor to the “EU-US Privacy Shield”, which the CJEU had found inadequate, is intended to address also the concerns expressed by the CJEU in “Schrems II”.
On 7 October 2022, US President Joe Biden signed a new Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which is supposed to implement into US law the agreements reached with the European Commission under the new “Trans-Atlantic Data Privacy Framework”.
Preparation of an adequacy decision for new “Trans-Atlantic Data Privacy Framework”
On this basis, the European Commission will now prepare a draft adequacy decision in relation to the new “Trans-Atlantic Data Privacy Framework” and launch its adoption procedure.
Although, unsurprisingly, the new provisions have already been the subject of some harsh criticism, the European Commission strongly assumes that the “Trans-Atlantic Data Privacy Framework” would withstand a new review by the CJEU. We can expect the “Trans-Atlantic Data Privacy Framework” to sooner or later also end up before the CJEU. However, at least for the time being, companies would be able to base data transfers to the US on the new “Trans-Atlantic Data Privacy Framework” on the Commission's new adequacy decision.
At the current time, it is not possible to say with any certainty when the adequacy decision announced by the European Commission will actually come into force. The Commission still has, among other things, to obtain an opinion from the EDPB. In addition, it needs to receive the green light from a committee of representatives from EU member states. Moreover, the European Parliament also has a right of control over adequacy decisions. Until now the Commission has not specified an official date for the adoption of its adequacy decision. Accordingly, we can expect its adoption by the end of 2022, at the earliest, although the beginning of 2023 seems more likely.
In spite of the setback inflicted by “Schrems II”, it would thus seem that there is a light at the end of the tunnel for transatlantic data transfers– at least in the medium term. Nevertheless, and particularly in light of the accountability obligations under data protection law, companies should, in compliance with the comprehensive TIAs recommended by the EDSA, continue to review the risks of international data transfers and, if necessary, take measures to address such risks.