Transferring Personal Data of Europeans to the United States in 2023
This article discusses upcoming changes with respect to the transfer of personal data from the European Union (EU) to the United States (U.S.) in light of the Schrems II decision (discussed below).
Replacement Rules for EU-U.S. Data Transfers In Progress
Rules to replace the now defunct EU-U.S. Privacy Shield Framework (Privacy Shield) regime could be imminent in light of the EU-U.S. Data Privacy Framework, draft adequacy decision published by the European Commission on December 13, 2022, in response to the new framework announced by President Biden in October of the same year. The General Data Protection Regulation (GDPR) restricts the cross-border transfer of personal data from the European Economic Area (EEA) to a third country. Under Article 45(3) of the GDPR, the European Commission has the power to decide whether or not a third country ensures an adequate level of protection for receiving personal data of natural persons who are located within the EU.
Privacy Shield, enacted in 2016, was a mechanism that allowed the transfer of personal data from the EU to the U.S. In 2020, the Court of Justice of the European Union (CJEU) struck down Privacy Shield in the Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems decision (also known as Schrems II). In Schrems II, the CJEU found that the protection of data provided by Privacy Shield was insufficient. In particular, the court was concerned about two issues regarding the transfer of EU data under Privacy Shield. The first concern arose from the extensive scope of permitted disclosure of European personal data to U.S. public authorities for national security, law enforcement, and other public interest purposes. In addition, the court concluded that the Privacy Shield Ombudsperson lacked sufficient power to respond to complaints from Europeans regarding their personal data.
Consequently, over 5,000 organizations that self-certified their adherence to Privacy Shield faced a difficult choice of whether to completely cease EU-U.S. data transfers or redesign their strategy to rely on other existing adequacy instruments. Although alternatives such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) exist, the implementation process of both tools is onerous. Thus, many small and medium-sized businesses cannot afford it.
A New Framework on the Horizon
In March 2022, after almost two years of uncertainty, President Biden and European Commission President Ursula von der Leyen announced a new agreement in a joint press statement. The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, signed by President Biden in October 2022, confirmed the U.S. commitment to establishing new practices that satisfy the CJEU requirements. As described by President Biden, this newly designed framework will “allow the European Commission to once again authorize transatlantic data flows that help facilitate $7.1 trillion in economic relationships” between the U.S. and the EU.
In response to the CJEU concerns, the executive order limits U.S. intelligence services to perform electronic surveillance activity only if it is “necessary to advance a validated intelligence priority” and “proportionate” to such an authorized priority. It also establishes a new impartial redress mechanism, which replaces the Privacy Shield Ombudsperson role invalidated in Schrems II, involving review by the Civil Liberties Protection Officer as well as the opportunity for an additional review by the Data Protection Review Court (DPRC). As explained in Attorney General Order No. 5517-2022, the DPRC will be established within the Department of Justice and will consist of individuals chosen from outside the U.S. Government. The DPRC will independently investigate and resolve complaints received from individuals who file applications through the appropriate public authority in a designated foreign country or regional economic integration organization.
The draft adequacy decision on the EU-U.S. Data Privacy Framework confirmed that the redesigned framework provides safeguards that meet EU standards. It also clarified that the new framework would apply to other data transfer mechanisms, such as SCCs and BCRs. On January 17, 2023, the draft was presented to the European Data Protection Board (EDPB). The European Parliament, the EU’s legislative body, can also exercise its right to scrutinize the draft adequacy decision. Although comments from the EDPB and Parliament would not be binding, their input could encourage the Commission to evaluate and make changes to the final draft of the adequacy decision before submitting it to EU Member States for their approval. Following these necessary steps, the full adoption of the EU-U.S. Data Privacy Framework is expected to occur in the summer of 2023.