EU confirms draft decision on replacement US data transfer pact

The European Commission has announced a draft decision on U.S. adequacy, paving the way for a replacement EU-U.S. data transfer deal to be adopted next year.

The draft adequacy decision for the EU-U.S. Data Privacy Framework (DPF), as it’s called, can be downloaded here.

The Commission’s draft is a key step in years of tortuous bilateral process which the EU’s executive body and U.S. counterparts hope will finally bring legal certainty to transatlantic exports of EU personal data — which have been shrouded in risk after earlier agreements were invalidated by the bloc’s top court, back in July 2020 and October 2015, over the legal disconnect between European privacy rights and U.S. surveillance powers.

Resolving that schism has been — and remains — the key sticking point for EU-U.S. data transfers. It means any new deal on transatlantic data transfers will undoubtedly face legal challenges to test whether this fundamental clash has really been resolved.

But even just getting a replacement agreed on paper, after the last two deals were torn up by the Court of Justice of the EU (CJEU), has been a major effort and challenge.

Yesterday the EU’s justice commissioner, Didier Reynders, told a Politico event that he hoped the new pact would be finalized before July next year — and he gave it a ‘7 or 8 out of 10’ chance of withstanding legal challenge. So even the Commission is not 100% on this surviving.

In a statement accompanying the announcement of the draft decision today, Reynders said:

Today’s draft decision is the outcome of more than one year of intense negotiations with the US that I led together with my US counterpart Secretary of Commerce Raimondo. Over the past months, we assessed the US legal framework provided by the Executive Order as regards the protection of personal data. We are now confident to move to the next step of the adoption procedure. Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Altlantic. The future Framework will help protect the citizens’ privacy, while providing legal certainty for businesses. We now await for the feedback from the European Data Protection Board, Member States’ experts and the European Parliament.

In another supporting statement, Věra Jourová, Commission VP for values and transparency, added:

Our talks with the US have resulted in proposing a Framework that will further improve safety of personal data of Europeans transferred to the US. It builds on our good cooperation and progress we have made over the years. The future Framework is also good for businesses and it will strengthen Transatlantic cooperation. As democracies, we need to stand up for fundamental rights, including data protection. This is necessity, not a luxury in the increasingly digitalised and data driven economy.

Keenly watching developments will be a number of tech giants — including Meta, which is at risk of a suspension order being slapped on its EU-U.S. data transfers following a long-running complaint that’s still grinding through the EU’s General Data Protection Regulation’s (GDPR) enforcement procedures (so it’s a race against time to see which will arrive first); Google, whose analytics product has been hit with warnings by DPAs around the bloc over illegal transfers of personal data; and Microsoft, whose cloud-based productivity suite 365 is under GDPR review by German DPAs that’s further complicated by the data transfers issue, to name three high profile examples.

But the transfers issue of course touches thousands of companies that rely on exporting personal data from the EU to the U.S. and have been left in legal limbo since the demise of Privacy Shield.

Negotiations between the EU and the U.S. to replace the most recently defunct Privacy Shield deal took until this March to arrive at a political agreement, and until October before U.S. President Joe Biden signed an executive order (EO) to implement the replacement data transfer agreement.

The signing of the EO handed the baton back to the Commission — and now it’s produced a draft adequacy agreement, as the bloc dubs such deals, based on the text signed by the U.S. administration (and accompanying regulations issued by the U.S. Attorney General Merrick Garland), which implemented into U.S. law the agreement-in-principle signed by the EU and U.S. back in March.

The next stage in the process is a review of the draft decision by other EU institutions, including the European Data Protection Board (EDPB) and a committee of EU Member States, along with scrutiny by members of the European Parliament. However the final decision to adopt adequacy is up to the Commission alone — so today’s draft decision marks a significant step along the road to sealing a new deal.

“US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties,” the Commission writes. “EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.

“In addition, the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, which addressed the issues raised by the Court of Justice of the EU in the Schrems II judgment: Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security; EU individuals will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before anindependent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.”

“European companies will be able to rely on these safeguards for trans-Atlantic data transfers, also when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules,” the Commission added.

All that said, how long the reupped deal will last remains to be seen.

The EU-U.S. Privacy Shield survived less than four years before the CJEU struck it down. And a third challenge over the same issue may not take so long to arrive at a high level legal reckoning.

In a statement on the Commission’s draft decision announcement, noyb, the privacy and digital rights not-for-profit advocacy group founded by Max Schrems — whose surname has become synonymous with successful challenges to EU-U.S. data transfer deals — predicts the DPF will fail in front of the CJEU.

“The CJEU required (1) that US surveillance is proportionate within the meaning of Article 52 of the Charter of Fundamental Rights (CFR) and (2) that there is access to judicial redress, as required under Article 47 CFR. Updated US law (Executive Order 14086) seems to fail on both requirements, as it does not material change the situation from the previously applicable PPD-28. There is continuous ‘bulk surveillance’ and a ‘court’ that is not an actual court. Therefore, any EU ‘adequacy decision’ that is based on Executive Order 14086 will likely not satisfy the CJEU,” noyb said in a press release.

Its analysis of the deal-in-principle between the two sides, based on the text of the U.S. EO, is that changes “seem rather minimal” and the agreement “underperforms when it comes to the protection of non-US persons”, as it puts it — hence it’s predicting the third deal won’t pass muster with the CJEU either.

Commenting in a statement, Schrems added: “We will analyze the draft decision in detail the next days. As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again — in flagrant breach of our fundamental rights.”

Still, not everyone deeply involved in data protection is so down on this ‘third time less unlucky’ attempt to nail down an EU-U.S. data transfers deal.

Hamburg’s Data Protection commissioner put out a somewhat positive-sounding statement on the contents of the EO last month — welcoming how, for the first time, U.S. secret service activities would be subject to “a proportionality proviso” — and also welcoming the US’ seeming willingness to (at least) limit the scope of government data collection — while also hitting out at what it dubbed “knee-jerk” criticism of the agreement.

At the same time, though, it emphasized that thorough scrutiny of the deal will be required to determine whether crux elements — such as how U.S. secret services will interpret ‘proportionality’; and the functioning of the data protection court — will actually meet the CJEU’s requirements or not. Notably, it also described it as “problematic” the fact that U.S. bulk collection (aka “the instrument of mass surveillance”) is expressively retained.

It will certainly be interesting to see what the EDPB makes of the DPF.

A thumbs down from the Board — which the Commission confirmed has received its draft decision so it can now begin working on its opinion — would be highly indicative of legal troubles ahead. But a more positive verdict from the EDPB would of course be a very different story.

A spokeswoman for the Board told us it will not be issuing a statement at this stage of the process.

She also said the timeframe for the EDPB adopting an opinion on the draft decision is not clear. “At this moment, we cannot say when this will be. No deadline is foreseen under the GDPR but the European Commission can decide to set a deadline,” she added.

For its part, noyb said it does not expect the new pact to be finalized before spring 2023. Once that happens, it notes that users will be able to challenge the DPF via national and European courts — thereby setting a new clock ticking on fresh regulatory risk.

The Commission will also monitor the functioning of the EU-U.S. Data Privacy Framework — via a process of “periodic reviews” — which it will conduct itself, with input from European data protection authorities, and along with the competent U.S. authorities.

“The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice,” it noted.

The Commission has also produced a short Q&A offering more detail on its draft decision.