The new adequacy decision to simplify data transfers to the US

With the new adequacy decision of the European Commission, the transfer of personal data to the US will soon undergo significant and important developments.

As in the best Netflix series, we start with a short recap of the previous episodes. It all began with the first “Schrems case”, named after Austrian privacy activist Maximilian Schrems. By judgment of 6 October 2015, the Court of Justice of the European Union (“CJEU”), challenging the fact that the data transfer agreement between the EU and the US in force at that time (the so-called “Safe Harbour”) allowed for derogations from the GDPR for reasons of public interest such as national security, declared invalid European Commission’s Decision 520/2000/EC recognizing the US system as providing adequate protection for the transfer of personal data.

In an attempt to remedy the aforementioned problems, a second agreement (“Privacy Shield”) was adopted. However, following the CJEU’s judgment of 16 July 2020 in the so-called “Schrems II” case, also this latter agreement was invalidated as inconsistent with the core principles of the GDPR. In particular, the CJEU focused on the breach of the principle of proportionality and data minimisation since the US public authorities were entitled to access and process the transferred personal data beyond what was strictly necessary for security reasons.

The CJEU, while confirming the validity of Decision 2010/87/EC on standard contractual clauses (SCCs), requires exporters and importers of personal data wishing to make use of SCCs to assess, prior to the transfer, whether the importer is able to comply, on the basis of the applicable law and of the circumstances of the transfer in the specific case, with the commitments entered into with the SCCs. The CJEU also requires, if necessary, the introduction of “additional safeguards”, “supplementary measures” and “effective mechanisms” that make the level of data protection in the United States identical to that guaranteed in the European Union (so-called transfer impact assessment).

The regulatory vacuum created as a result of the declaration of invalidity of the Privacy Shield has caused significant legal uncertainty. Indeed, there are currently many issues of compliance with the GDPR and the Privacy Shield affecting the activities of economic operators.

To follow up on the indications contained in the “Schrems II” decision, the European Commission and the US Government started negotiating a new agreement (the so-called “Trans-Atlantic Data Privacy Framework”). On 25 March 2022, European Commission President Ursula Von Der Leyen and US President Joe Biden reached an agreement in principle, which on 7 October 2022 was followed by an Executive Order issued by the US President implementing the commitments made in the March agreement in principle.

In particular, in order to consolidate the system of data privacy safeguards for EU citizens whose data are transferred to the United States, the executive order requires: (i) binding safeguards aimed at limiting access to personal data to cases of strict necessity and in compliance with the principle of proportionality; (ii) a severe control on the activities of the US intelligence services to ensure compliance with the limitations provided for surveillance activities; (iii) the establishment of a new “Data Protection Review Court” responsible for ruling on complaints lodged in relation to access to personal data by the US security authority; (iv) the consequent review of the respective internal policies and procedures for the implementation of the measures in question. As mentioned in the fact sheet accompanying the Executive Order, “transatlantic data flows are critical to enabling the $7.1 trillion EU-U.S. economic relationship”. In said document, President Joe Biden added that “U.S. and EU companies large and small across all sectors of the economy rely upon cross-border data flows to participate in the digital economy and expand economic opportunities. The EU-U.S. Data Privacy Framework represents the culmination of a joint effort by the United States and the European Commission to restore trust and stability to transatlantic data flows and reflects the strength of the enduring EU-U.S. relationship based on our shared values.”

Following the issuance of the executive order and of the relevant regulations, the European Commission started the procedure for the adoption of the relevant adequacy decision, whose draft was made public on 13 December 2022.(https://commission.europa.eu/document/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en). Pursuant to Article 45 of the GDPR, an adequacy decision is one of the instruments for transferring personal data to a third country without requiring any prior specific authorisation. The draft in question represents the result of a delicate balancing act between compliance with the principles enshrined in the European data protection law and the supervisory powers of the United States.

According to the recitals of the draft adequacy decision, the transfer of personal data is lawful sic et sempliciter after an assessment of the equivalence of the level of protection guaranteed by the respective laws. Accordingly, an identity tout court of European standards is not required, provided that the third country’s relevant regulatory system proves, in practice, to effectively ensure an adequate level of protection.

Another innovative element that shows the commitment to follow up on the grievances highlighted in the CJEU’s rulings is the establishment of a specific independent and impartial redress mechanism for the resolution of European citizens’ complaints.

Following the changes introduced by the executive order, the European Commission confirmed that the conditions exist to ensure compliance with the elements of substantial equivalence of the safeguards and principles set out in the GDPR. The adequacy decision will become final upon completion of the adoption procedure, which also includes an opinion of the European Data Protection Board (“EDPB”). In light of recent evolutions, it is reasonable to expect significant developments in the near future.

This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For any further information please contact Marco Cappa and Matteo Calì.