No more headaches when transferring data to the US? This new decision adopted by the European Commission on July 10, 2023 allows data to be freely transferred to the USA to self-certified companies.
The adoption process for this new agreement
This adequacy decision replaces the previous agreement, the Privacy shield, which was annulled by the Court of Justice of the European Union on July 16, 2020 in the Schrems II ruling.
The Schrems II ruling denounced the lack of safeguards and remedies offered by the United States to European residents, who saw their data collected and used by US authorities as part of intelligence activities.
Following the invalidation of the Privacy Shield, US President Joe Biden issued an Executive Order (EO 14086) reinforcing the binding guarantees regarding the use and collection of personal data by US intelligence authorities. Henceforth, the latter must ensure that their collection is "necessary and proportionate " and will be able to be monitored thanks to a new independent and impartial appeal mechanism enabling European residents to finally benefit from recourse against any data collection that does not respect their rights.
This agreement will be reassessed by the Commission one year after its adoption, and every 4 years at the latest thereafter.
What will this new adequacy decision establish?
This new adequacy agreement puts an end to the instability of transatlantic data transfers, as any data transfer to the United States no longer requires additional data transfer guarantees. In addition, the agreement confers new rights in the event of transfers to the USA, such as the right to rectification or deletion of data deemed inaccurate or processed illegally..
The agreement also confers certification on US companies that undertake to respect data protection obligations (limitation of processing purposes, minimization of data retention, data security, etc.). All of this will be managed by the U.S. Department of Commerce, which will issue accreditations. The Federal Trade Commission will be in charge of auditing their compliance over the long term.
The big addition to this agreement is the presence of a genuine appeals body as well as guarantees and limitations on access by US intelligence services to the data of European residents. The latter will see their collection limited to what is necessary and proportionate to protect national security.
In the event of non-compliance with this principle, the American authorities will be able to be constrained by an independent appeal mechanism made up of a Data Protection Control Court. The mission of this court will be to deal with claims and appeals concerning the processing of personal data by US administrations.
The redress mechanism
When an EU national wants to make a claim, he or she will first have to do so with his or her national data protection authority (for example, the CNIL in France). This will then be forwarded to the USA via the European Data Protection Board and examined in the first instance by the "delegate for the protection of civil liberties" of the American intelligence community.
Subsequently, the persons concerned will be able to make a second appeal to the Data Protection Review Court (DPRC). This court is made up of members from outside the US government, who can only be removed under good cause. This court will investigate the claim and may issue corrective and binding decisions, such as the deletion of data. A special counsel will be appointed to represent the plaintiff's interests before this court.
With the agreement guaranteeing that the US has implemented sufficient data protection measures with regard to the GDPR, this therefore facilitates transfers between the US and Europe and makes it easier to use standard contractual agreements or binding corporate rules (or BCR). In assessing the additional safeguards provided for the transfer, this adequacy decision makes it possible to consider that the level of data protection is adequate, and that it provides the essential European safeguards to ensure a level of protection equivalent to EU law.
A new agreement already called into question
Even before the adoption of this adequacy decision, numerous criticisms had already emerged.
Indeed, according to the association None Of Your Business (NOYB), this new transatlantic framework is a pale copy of the previous agreement, the Privacy Shield. It denounces the fact that the mechanisms introduced by the United States are insufficient and are merely empty shells that do nothing to guarantee the rights of European citizens.
In her view, the addition of the word "proportionate" in the decree would only be so from the point of view of the American authority. That is, the surveillance permitted by FISA 702 is "proportionate" in the eyes of the US government, thus leaving US and European authorities with a different view of the term "proportionate".
Secondly, NOYB criticizes the new appeal mechanism. They state that the European citizen has no direct interaction with the new court introduced, effectively only being able to go through his national data protection authority. It also denounces that the Court is not a real court, but an independent executive body. The association adds that the judgment of the Court is already known in advance, this one being indicated by decree 14086, this problem therefore not allowing European nationals to have their complaints admitted.
Finally, NOYB denounces the fact that the United States has not amended FISA 702, adding safeguards for European citizens, thus not including the violation of their right to privacy within the scope of action of the 4th Amendment, and therefore, against any abuse by the US authorities.
The association intends to appeal to the CJEU in the following months, once the agreement has been put in place by the companies. With the aim of the Court of Justice of the European Union having access to the appeal by the end of the year, so that it can then issue a "Schrems III" ruling by 2024 or 2025.
What transfers are involved?
Transfers concern all data covered by the GDPR. There is no limitation to certain types of data. This includes commercial and non-commercial data (such as human resources data). This depends on the certification of organizations and compliance with certain conditions for human resources data. Data falling under the Police Justice Directive is not affected by this decision but falls under the December 10, 2016 agreement.
Should data be transferred or not to the United States?
As the law currently stands, transfers to the United States are possible and the procedures simplified. It's tricky to anticipate a ruling by the EU Court of Justice and the annulment of the decision. It is therefore entirely possible to use this new legal framework.
The European data protection authorities do not advise against using this new tool (see the press release from CNIL and EDPB).
However, care must be taken to ensure that the transfer is made to a receiving organization (i.e. another data controller or subcontractor) that is inscribed on the list of certified organizations. This list can be accessed on the site dedicated to the new EU-US framework.
In all cases, it is up to the organizations setting up transfers to identify and track them. This follow-up can be effectively carried out through the processing register.
This does not preclude compliance with all GDPR rules in data processing. In particular, the use of subcontractors must comply with the conditions of Article 28 of the GDPR. The contract must include personal data protection clauses. The new data protection framework requires certified US companies to comply with numerous principles that can usefully be reiterated in the outsourcing contract.
Therefore, it is always advisable to make a TIA taking into account this adequacy decision.
How does Dastra help you?
Dastra enables you to easily identify data transfers to the USA, generate standard contractual clauses with your subcontractors, and perform TIAs. Dastra will include the list of certified companies directly in the repositories.
➡️how Dastra can help you in your compliance.