BEERG Newsletter - GDPR: Commission confirms EU-US Data Privacy Framework adequacy

Derek Mooney writes: On Monday, 10 July 2023, the EU Commission adopted its long-awaited adequacy decision on the recently negotiated EU-U.S. Data Privacy Framework (DPF). The adequacy decision will have immediate effect, giving a lawful basis for trans-Atlantic data transfers from data transfers which certify compliance with the DPF principles. For more information on the Adequacy Decision and the DPF principles see this EU Commission webpage.  

They say the third time is lucky… so, we hope this third attempt to implement a robust and sustainable system for transatlantic data flows to the US, works. The two previous attempts Safe Harbour and Privacy Shield were struck down by the ECJ/CJEU. First, we had the “Schrems I” decision which scuppered on Safe Harbour in 2015, followed soon by the 2020 ECJ/CJEU “Schrems II” decisions which invalidated the EU-US Privacy Shield.

The EU Commission believes that EU-U.S. Data Privacy Framework and the DPF principles which underpin it, address the concerns raised in the 2020 Court decisions, saying: 

"The European Commission's adequacy decision concludes that the United States ensures an adequate level of protection, compared to that of the EU, for personal data transferred from the EU to US companies participating in the EU-US Data Privacy Framework… 

…The adequacy decision follows the US's signature of an executive order which introduced new binding safeguards to address the points raised by [the] Court of Justice of the European Union in its Schrems II decision of July 2020.

Notably, the new obligations were geared to ensure that data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.”

The question now is, will the EU-U.S. Data Privacy Framework result in a Schrems III invalidation? 

Privacy activists, particularly Max Schrems and his NOYB privacy group, think it will and are already set for an ECJ/CJEU challenge. Responding to the Commission announcement Schrems stated: 

"NOYB has prepared various procedural options to bring the new deal back before the CJEU (Court of Justice of the EU)… We expect the new system to be implemented by the first companies within the next months, which will open the path towards a challenge by a person whose data is transferred under the new instrument. It is not unlikely that a challenge would reach the CJEU by the end of 2023 or beginning of 2024.”

While the history of this battle suggests that a third invalidation is possible, it seems improbable. Circumstances have changed. Even in the three years since Schrems II. You have the implications of Russian invasion of Ukraine and the critical importance to the trans-Atlantic data economy of AI and other cloud technologies require robust cross-border data flows. 

The EU Commission’s briefings suggest that it has learned a lot from its past defeats and that it is confident that it can address the EU court’s concerns. If it has, then all that remains for the privacy activists is their extreme and absolutist demand that the US abandon all security and intelligence gathering activity - a reckless position post the Russian invasion.

The EU Adequacy Decision also raises questions about the long running Meta vs Irish DPC case. Some observers believe the new framework supersedes the DPC's transfer ban, though the Irish Independent newspaper reports that Meta will still appeal the DPC’s ruling due to the size of the fine.

Might we be at the end of an almost decade long saga over EU/US data transfers? We certainly hope so  - and that trans-atlantic companies can benefit from durable and robust data transfer systems that protect user data with minimal bureaucracy.