On July 10, 2023, the European Commission approved the new adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR), giving the green light to the transfer of personal data from Europe to the United States without the need, for the eligible entities involved, to put in place additional safeguards to protect the rights of data subjects.
- EU-US Data Privacy Framework, after Schrems II
Notably, the adequacy decision endorses the legitimacy of the so-called “EU-US Data Privacy Framework” (EU-US DPF), the framework for transatlantic exchanges between European and US companies. The European Commission found that the mentioned agreement offers adequate safeguards − unlike its invalidated predecessor (“Data Privacy Shield”) − about the safeguarding, by the US, of the fundamental rights of European citizens whose personal data are transferred overseas.
The decision adopted by the Commission resolves a regulatory vacuum that had persisted since 2020, after the Court of Justice of the European Union, in the notorious Schrems II case, invalidated the previous agreement for transatlantic transfers (“Data Privacy Shield”) finding it inadequate to protect the fundamental rights of European citizens. More specifically, the main lack of the previous scheme had been considered its inability to ensure that the data of European data subjects, once transferred to the United States, would be protected against local authorities and their ability to access them for national security reasons. In other words, the problem identified by the CJEU was the approach of the US legislation, which, while allowing disproportionate access to the personal data of European citizens, did not offer adequate mechanisms of protection (e.g., judicial protection), actionable by them in case of a violation of their rights.
After Schrems II, the European Union and the United States entered into a lengthy negotiation that led US President Joe Biden to sign, on 7 October 2022, the Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, by which he undertook to make changes to domestic legislation so as to bring it in line with the above-mentioned ruling of the Court of Justice of the European Union, and thus with the logic of protecting fundamental rights set forth in the GDPR and the Nice Charter.
The goal seems to have been achieved, as the EU-US DPF now includes elements that apparently raise the level of protection for data subjects.
- Highlights of the new agreement: certifications and impartial redress mechanisms
The agreement is based on a system of certifications − in this sense, the regime is similar to that of the “Data Privacy Shield” − that US companies must obtain in order to participate to the mechanism for the transfer of data from Europe. To be more precise, companies will have to self-certify that they adhere to a set of principles established by the US Department of Commerce (DoC). Those principles are now reflected in the Adequacy Decision (in Annex I) and replicate, without prejudice for the necessary adaptations, those established by the GDPR. Self-certifying companies will be admitted to the framework list only after the Department of Commerce has ascertained that they actually comply with those principles, and they may be excluded from the agreement later on if the Department determines that the company has not renewed its certification (which must in fact be renewed annually) or has violated any of the principles in Annex I. Anyway, obtaining certification means that U.S. companies are subject to the audit and inspection powers of the US Federal Trade Commission (FTC) or the US Department of Transportation (DoT).
However, the key point of the new scheme approved by the European Commission is the revision of the redress mechanisms, which can be activated by European data subjects in case their fundamental rights are abused by the US surveillance authorities.
In particular, the Ombudsperson mechanism, which was rejected by the CJEU for not being entirely impartial and thus not being able to guarantee, for the European citizens concerned, an equivalent protection to that provided by Article 47 of the Nice Charter, is replaced by a system composed of the Civil Liberties Protection Officer (CLPO), which is in charge of receiving and screening in the first instance the complaints of the data subjects, and the Data Protection Review Court. The latter can be addressed whether the data subjects are not satisfied with the decision of the CLPO.
A point worth to be stressed is the impartial composition of the Data Protection Review Court, which in fact will be composed of legal professionals, with experience in the areas of privacy and national security, independent from the US Government.
- Toward Schrems III?
Even though the framework we are discussing has been welcomed by many, there are nevertheless those who still have strong doubts about the new system of data transfer. The most critical voices certainly come from the nonprofit organization noyb, whose founder, the Austrian lawyer Max Schrems, has already declared that he will, once again, challenge the European Commission’s adequacy decision. In his view the decision represents nothing less than a copy of the old “Data Privacy Shield”, whose content, he claims, was re-proposed unchanged within the new scheme, modified on a merely formal basis.
As known, Max Schrems has long been fighting a judicial battle on behalf of the fundamental rights (i.e., right to privacy) contemplated by the European legislation, which in his view is irreconcilable with the American legal system. Well, after having brought attention from the CJEU first to the mechanism known as “Safe Harbour,” which was invalidated in the Schrems I case, and then to the aforementioned “Data Protection Shield”, which was also struck down by the Luxembourg Judges in the Schrems II case, it seems that the Austrian lawyer is ready for a third episode of the long judicial saga.
- Concluding remarks
The decision adopted by the European Commission is an important step toward the construction of a smart global marketplace, within which the free movement of data − vehicles of information and development − is encouraged as much as possible. Allowing companies to exchange the data in their possession means enabling them to understand more accurately the needs of the whole community.
This does not mean that the right to privacy should be ignored. On the contrary, it should be strongly valued. Perhaps, the mistake is to believe that “free movement of data” and the “right to privacy” exclude each other, when in fact the two elements must be seen as allies. Adherence to the principles of the GDPR, and more generally to a culture of protecting fundamental rights as such, may be the focal point of the discourse that is today engaging, dividing, and exciting scholars and non-scholars everywhere.
The adequacy decision commented above seems to have taken all this points into consideration, even if there remain notes of criticism from some insiders who, rightly or wrongly, have already questioned the legitimacy of the new EU-US Data Privacy framework. We will see, in the event, what the Court of Justice of the European Union’s assessment on the matter will be.
Article by Marco Di Cioccio and Giulio Monga