The European Commission (the “Commission”) published today its draft adequacy decision for the US (the “Draft Decision”). This paves the way for an institutionalized personal data transfer mechanism across the Atlantic to emerge (and already raises the prospects of it being under scrutiny again).
If your pre- holidays’ workload (that also includes the transition of your old SCCs to the new ones, another transfer duty, does not allow you to read the full 134-page Draft Decision, here is a little tour of what you need to know before it becomes final (and this might still take some time).
Before, there stood two…
For those with longer memories, the Commission has been here before – remember the Privacy Shield or even its predecessor, the Safe Harbour? Both were invalidated by the Court of Justice of the European Union (the “CJEU”) after challenges from the privacy activist Maximilian Schrems. In the last chapter of the Schrems saga, the CJEU raised several deficiencies with the Privacy Shield which the Executive Order signed by the US President earlier this year (see our blogpost on the topic) seek to address to provide organizations with a long-lasting personal data transfer framework.
The draft confirms that according to the Commission:
- As expected, necessity and proportionality (principles close to the heart of EU privacy professionals) play a big role. Binding safeguards will limit access to personal data by US intelligence agencies to what is necessary and proportionate to protect national security;
- US intelligence agencies will need to come up with internal procedures to ensure compliance with these rules. For example, they will need to train their employees to ensure that they understand the obligations imposed by the Executive Order;
- A two-stage redress mechanism will be available to data subjects who want to bring complaints against the US intelligence agencies for potential breaches. The first stage will allow data subjects to complain to a Civil Liberties Protection Officer who will determine if there is a breach and make an order for remediation. The second stage will allow data subjects to have complaints reviewed by a Data Protection Review Court. This court will review the decisions from the first stage and issue a binding decision. Where a violation is found, it will also make an order for remediation. Redress was one of the major points addressed by the CJEU in the Schrems II so the effectiveness of the mechanism will be crucial to ensuring that an adequacy decision will remain viable.
- In addition to redresses against US intelligence agencies, the Privacy Shield 2.0 gives Union data subjects multiple redresses options against the certifying organizations processing their personal data;
- Under Privacy Shield 2.0, US companies will need to certify (again) and commit to comply with a (wide range) set of privacy obligations such as purpose limitation. To maintain the principle that “protection travels with the data”, these new obligations will also include commitments when sharing personal data onwards with third parties.
Three strikes, you are out! (maybe)
Whilst the Commission stands strong on its hope (it is that time of the year, after all) the Draft Decision will allay the concerns of privacy campaigners, Max Schrems and the campaign group NOYB made it clear they are going to challenge the revised framework when adopted. Hence, a risk for it being invalidated in the same way as its predecessors.
In relation to the proposed redress mechanisms, Max Schrems has stated: “I think (the proposed redress system) is an upgrade, but it’s still going to be very hard for the CJEU to look at that and say that is a court under Article 47 (of the EU Charter of Fundamental Rights).” Article 47 enshrines the principle that everyone subject to EU law has the right to an effective judicial remedy and a fair trial. If the CJEU finds in a new “Schrems III” that the redress mechanism still fails to adequately fulfil the criteria in Article 47, then we will no doubt find ourselves back to square one. Nevertheless, EU Justice Commissioner Didier Reynders has urged early critics of the mechanism to give it more time, stating “[p]lease test the system before you say it’s inefficient.” This also reflects comments recently made by the European Commission Head of International Data Flows and Protection Bruno Gencarelli, who said of the mechanism: “[t]his is significantly different, even recognized by the most critical voices, from what we had before.” Perhaps forgotten in this never-ending Punch and Judy is the voice of business which will no doubt welcome the momentum that will come with the final adoption.
The US will still not be completely off the hook though. The Commission will review the functioning of the Privacy Shield 2.0 periodically and the first review is set to take place one year after the adequacy decision has entered into force. This short review period might reflective of the Commission’s concerns that what was agreed in the Framework will somehow slip. By comparison, the first review period for the adequacy decision adopted for the Republic of Korea was three years.
In the interim, and just after companies have finalised their legacy SCCs transition project, US data importers should start familiarizing themselves with Privacy Shield 2.0. If you certified to the Privacy Shield, what are the actual consequences of the revised framework and what should be done to be ready by the time the certification process will be available? If you did not certify to the Privacy Shield, should you revise your views considering the privacy enhancing benefits that Privacy Shield 2.0 will be offering? And lastly, if you are still unable to certify because you are outside the scope of Privacy Shield 2.0 (and there are a couple of those instances to consider), what does this mean for your personal data transfers.
Do not plan on reading a book over the holiday season; be ready for another busy year for privacy.