Hope for (temporary) relief on US data transfer

In the past year, important changes have taken place to address the previously uncertain legal situation regarding US data transfers. The Executive Order on “Enhancing Safeguards For United States Signals Intelligence Activities” (“EO”) issued in October 2022 is now intended to pave the way for a new agreement on data transfers between the EU and the US (Data Privacy Framework (“DPF”)). The primary objective of the EO is to address and remedy the main criticisms of the Schrems II decision.

However, there are doubts as to whether the regulations established in the EO can actually meet the CJEU’s requirements for the necessary level of protection. In particular, the question of the independence of the “courts” entrusted with the review and their integration into the executive branch are considered problematic. However, the Commission does not seem to share these fears and considers the efforts on the part of the US to be sufficient.

The Commission published its draft adequacy decision in December 2022. This is essentially based on the same system that was used for the EU-US Privacy Shield. The main difference to the Privacy Shield is found in the assessment of the obligations of the US intelligence services, which, according to the Commission, have improved as a result of the EO.

The draft was forwarded to the European Data Protection Board (EDPB) and the European Parliament for a corresponding opinion. At the EDPB meeting of 16 January 2023, the Commissioner responsible, Didier Reynders, presented the adequacy decision to the EDPB. The EDPB subsequently discussed the joint opinion of the data protection authorities. There, the opinions published so far differ: while the Hamburg Data Protection Authority considers an EO to be a viable solution in principle, the Data Protection Authority of Baden-Württemberg is not convinced. A consultation with the European Parliament is still pending. However, if one takes the plenary resolution of 2018 as a basis, the Commission will especially have to convincingly demonstrate that mass surveillance is ruled out in the future. The final adoption of the adequacy decision is currently expected in the second quarter of 2023.

In the meantime, anyone who wants to get more in-depth information should read the overview of the opinions held until January 2023 and further background information in a briefing by the European Parliament’s scientific service. Also noteworthy in this context is the briefing on the further procedure, which also provides background information on European data protection policy.

A soon as the adequacy decision is adopted, data transfers to the US will be simplified, provided that the respective data importer certifies under the DPF. The agreement of standard contractual clauses (“SCC”) and the performance of transfer impact assessments (“TIA”) will then no longer be necessary. If the recipient does not obtain certification, the SCC will continue to apply. However, it will probably then be possible to dispense with an intensive assessment within the framework of the TIA by referring to the adequacy decision.

For the year 2023, the directly applicable EO already results in innovations for data transfers, which should be considered when assessing national law in the context of the TIA. However, it must be taken into account that the US intelligence services have been granted a transition period of one year to implement the measures of the EO and that the classification of the EU as a “qualifying state” is still pending. For this reason, EU citizens will probably not yet be able to invoke the new mechanism for legal remedies. Furthermore, it can be assumed that the CJEU will review the DPF in the foreseeable future. It remains to be seen whether the DPF will permanently resolve the dispute over US data transfer.