Will the European Commission’s new adequacy decision finally promote transatlantic data transfers between the U.S. and the EU?
On 13/12/2022, the European Commission initiated a procedure for its adoption. In doing so, it relies on the decree issued by U.S. President Biden and the regulations issued by U.S. Attorney General Garland. After the EU-US Privacy Shield was declared invalid by the Schrems II ruling, the transfer of personal data from the EU to the USA has not been clearly regulated and has become significantly more difficult. The new decision could thus represent the third chance for regulated data flows. The draft has already been submitted to the European Data Protection Committee (EDSA) and must still be confirmed by the EU member states. Can we look forward to a change that will be liberating and more secure for all sides?
What is an adequacy decision?
The Commission has the possibility to determine the existence of an adequate level of protection in a given third country after appropriate examination. The determination may also be limited to a specific area or sector in the third country, or even to specific categories of data. An adequate level of protection exists where the third country, on the basis of its domestic law and its application of that law, the existence and effective functioning of one or more independent supervisory authorities, and its international commitments, has a level of protection equivalent to that afforded by the General Data Protection Regulation.
A data transfer based on such an adequacy decision does not require any further approval by the national supervisory authority responsible for the controller or processor. The other requirements of the General Data Protection Regulation regarding the permissibility of data processing apply independently (“two-step test”).
The General Data Protection Regulation provides for the continued application of adequacy decisions already issued (Art. 46 (5) sentence 2 DS-GVO). Such exist for the following countries:
- Andorra
- Argentina
- Faroe Islands
- Guernsey
- Israel
- Isle of Man
- Japan
- Jersey
- Canada (for commercial organizations only)
- New Zealand
- Republic of Korea (South Korea)
- Switzerland
- Uruguay
- United Kingdom
Data transfer to the US possible again soon?
Especially for IT companies like SaaS providers, a constant problem is that a transfer of user data to the USA, according to Shrems II is very difficult. It is therefore quite a hopeful moment that after almost a year of intense negotiations, the EU Commission has published the proposal for a new adequacy decision: 134 pages full of opportunity to give an adequate level of protection to U.S. data protection law under Article 45 GDPR. If the decision comes into force in the coming months, companies and organizations will be able to link up with the so-called EU-US Data Privacy Framework and transfer personal data from the EU to the USA.
The European Court of Justice (ECJ) has ruled that such a decision does not necessarily require functionally equivalent data protection to the EU level, but that data protection must be effectively implemented. This, in turn, the U.S. could not guarantee, for example, through the Foreign Surveillance Act. It is questionable, of course, whether President Joe Biden’s Executive Order 14086, can change that. U.S. services are to ensure in the future that their data collections are “necessary and proportionate” and that they are better controlled in their data collections.
Otherwise, the new Privacy Shield is expected to function similarly to the old one. Again, no automatism provided. U.S. companies that want to slip under the EU-U.S. Data Privacy Framework must register with the trade regulator FTC and accept the associated obligations.
Of course, it remains to be seen how a final version of the decision will read…and in corporate planning, it should then also be noted that there will certainly be lawsuits against a new adequacy decision as well.