The European Commission (EC) has granted data adequacy to the US, allowing companies to freely transfer personal data across the Atlantic without the need for additional safeguards.
Data adequacy was granted specifically in relation to the EU-US Data Privacy Framework, which is designed to improve the safety of transatlantic data flows and address concerns arising from the European Court of Justice’s (ECJ) striking down the EU-US Privacy Shield data-sharing agreement in July 2020.
The court said in its ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the ECJ, that the previous agreement failed to ensure European citizens adequate right of redress when data is collected by the US National Security Agency (NSA) and other US intelligence services.
The ruling also cast doubt on the legality of using standard contractual clauses (SCCs) as the basis for international data transfers, finding that although these were legally valid, companies still had a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.
Since Schrems II, the Commission has been in discussions with Washington about the creation of a new data sharing framework that could address the issues raised by the court, with the two parties reaching a high-level “in principle” agreement in March 2022 that another arrangement could be signed off on if certain assurances are provided by the US.
This included the US agreeing to expand its oversight of US signals intelligence, to strengthen civil liberties safeguards, and to create a new binding legal mechanism that will give EU citizens rights of redress if they believe their data has been abused.
These changes were subsequently implemented in US law via an October 2022 Executive Order signed by president Joe Biden, as well as regulations issued by US attorney general Merrick Garland the same month, which led to the EC granting a draft data adequacy decision in the US’s favour that December.
Now that data adequacy has been granted, the new Data Privacy Framework creates “binding safeguards” that include creating a Data Protection Review Court (DPRC) which EU citizens will have access to – restricting the access of US intelligence services to EU data to what is necessary and proportionate, and requiring companies to delete personal data when it is no longer necessary for the purpose for which it was collected.
“The new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle reached with president Biden last year, the US has implemented unprecedented commitments to establish the new framework,” said EU president Ursula von der Leyen.
“Today, we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
If they want to share data between the EU and US, companies from both side of the Atlantic will now need to sign up to the framework, which will be periodically reviewed by the EC, European data protection bodies, and US competent authorities.
The first review will take place within a year of the adequacy decision to ensure that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.
The announcement of the EU adequacy decision follows UK and US governments committing in principle to a new data bridge agreement in early June 2023, which is being officially referred to as the UK Extension of the EU-US Data Privacy Framework.
The data bridge announcement was followed by another announcement in early July 2023 that the UK is being given “associate” status in the Global Cross Boarder Privacy Rules (CBPR) forum, which was established in April 2022 to facilitate the free flow of data globally and achieve interoperability between different data protection frameworks.
The EC previously granted data adequacy to the UK in June 2021 following its exit from the EU allowing the free flow of personal data to and from the bloc to continue, but warned that the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.
The tech sector has responded positively to the adequacy decision on the basis that is has ended three years of legal uncertainty.
Julian David, CEO of tech sector lobby group TechUK, for example, said the framework marks “an important and long-awaited milestone” that offers clarity and legal certainty to businesses.
“We now look forward to working with our members, the UK and US governments to finalise the UK-US data bridge, which will allow UK businesses to transfer data freely to certified US organisations, facilitating exchanges that are worth billions of dollars in digital trade,” said David.
The Computer & Communications Industry Association’s (CCIA Europe) public policy director, Alexandre Roure, also welcomed the decision, which he described as a “major breakthrough” for businesses. He added that, after waiting for years, companies and organisations of all sizes on both sides of the Atlantic finally have the certainty of a durable legal framework.
“First and foremost, we applaud member states’ decision to end this gridlock, but CCIA would also like to thank the Commission and the US government for their hard work to create a new mechanism that facilitates data flows while also protecting the rights of individuals,” he said.
David Dumont, a partner at law firm Hunton Andrews Kurth, added that the US legal framework around government surveillance activities has “significantly changed” since Schrems II invalidated Privacy Shield.
“The US has put in place legal safeguards that limit access to personal data and has introduced more robust oversight mechanisms, such as the Data Protection Review Court,” he said.
“The European Commission seems to be convinced that the new transatlantic data transfer framework will adequately address Schrems II issues and that the new adequacy decision will likely survive a challenge in the Court of Justice of the European Union, which will be asked to assess whether the new safeguards laid down in the framework are sufficient to be considered essentially equivalent to the safeguards in the EU.”
He added that, in light of the changes, it is unlikely that a further legal challenge would be successful: “People have somewhat lost patience with the issue, and organisations are looking for legal certainty and reassurance that they can rely on the decision once confirmed.
“If the new adequacy decision would, once again, be struck down by the CJEU, organisations may lose faith in the feasibility of a successful EU–US data transfer framework and turn to EU Standard Contractual Clauses as their sole and permanent solution to legitimise data transfers to the States.”
‘No substantial change in law’, says Schrems
However, Max Schrems, chair of digital rights organisation noyb, and who is the lawyer who challenged Privacy Shield, has already committed to challenging the decision, which he said is “largely a copy of the failed Privacy Shield” agreement.
“They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like Privacy Shield, the latest deal is not based on material changes, but by political interests. Once again, the current Commission seems to think that the mess will be the next Commission’s problem,” he said.
“We now had Harbors, Umbrellas, Shields and Frameworks – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”
A major part of the issue, according to noyb, is that the US has refused to reform section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows for the targeted surveillance of people outside the US as long as they are not a US citizen.
Any court order issued under FISA laws also comes with a gag order – a legal instrument that prevents the recipients from letting anybody else know they have received the order.
Noyb added that FISA 702 needs to be prolonged by the US by the end of 2023 due to ‘sunset clauses’ in the law: “This would have been the perfect opportunity to improve US law, but given the new deal with the EU, there will be little reason for the US to reform FISA 702.”