International transfer of personal data from the EU to the US: where do we stand?
by Katia Volodine
Last month, the European Data Protection Board (EDPB) has rendered its opinion on the new framework for transatlantic exchange of personal data, the EU-U.S. Data Privacy Framework. (The EDPB is a body made of all EU data protection authorities, or DPAs, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation among DPAs.)
The General Data Protection Regulation has set up strict safeguards around transfers of personal data from the EU to any third country (for example, the US). Such transfers can only be made on very specific grounds, for example:
- on the basis of an adequacy decision made by the EU Commission (and so far, only 14 jurisdictions in the world have been recognized as adequate),
- pursuant to standard contractual clauses adopted by the EU Commission in conjunction with adequate safeguards, or
- binding corporate rules approved by the relevant DPA.
With respect to the transfer of personal data to the US, the EU and the US had already adopted two different frameworks in the past, the most recent one being the defunct Privacy Shield which was deemed adequate and thereby enabled international flow of data, facilitating such transfers. However, there were significant concerns over inter alia a wide power of US intelligence services to access personal data coming from the EU, at large scale and with no or insufficient safeguards and due process. This was heavily debated and finally confirmed by the CJEU in 2020 (Schrems II case). The EU and the US quickly entered new negotiations to provide for a third framework for the international transfer of data.
The EU Commission produced a draft of its decision on 13 December 2022 and such decision enables US companies to rely on self-certification of compliance. This means that if a company certifies compliance with the principles as stated under the Data Privacy Framework, it can supposedly provide European data subjects with a level of data protection that is “essentially equivalent’ to that provided within the EU, and hopefully benefit from an adequacy decision.
The EDPB has now assessed the adequacy of the level of protection given to EU data subjects in light of the decision made by the EU Commission. While the EDPB noted significant improvements compared to the previous legal framework, it still expressed concerns and the need for certain clarifications.
It has for example expressed concerns around the access and use of personal data transferred from the EU by public authorities in the US. In particular, the US have adopted an Executive Order enhancing safeguards for US signals intelligence activities (EO 14086). The EDPB noted that such adoption shows significant improvements to the privacy safeguards, with the creation of a new redress mechanism for EU individuals creating direct rights of redress to EU citizens. EO 14086 also created more safeguards for the independence of the Data Protection Review Court and effective powers to remedy violations. The EDPB however pointed that this specific redress mechanism is not sufficient due inter alia to a perceived lack of independence of the Data Protection Review Court.
The EDPB also expressed concerns around the collection of bulk data, i.e. data collected without discriminants, under Executive Order 12333. The EDPB notes the lack of a requirement for prior authorization by an independent authority, as well as a lack of systematic independent review by a court or an equivalently independent body after collection by a court or other independent body.
The draft of the decision as proposed by the EU Commission will also need to be reviewed by the EU Parliament and the final adequacy decision is expected to be adopted this summer (in 2023).
Companies transferring personal data to the US should thus consider this development so as to maximize the safeguards to transfers of personal data. Once the adequacy decision is adopted, it should create more certainty in terms of international transfers of data. A comfort which might well be short-lived, as several parties (NGOs and experts in the field) already announced their intention to challenge this third framework in court, just like its two predecessors.
Any questions or issues? We would be happy to assist you with any questions in the field of data protection. Reach out to us at firstname.lastname@example.org