International data transfers to the US: update

The Commission will then seek the approval of a committee composed of representatives of the EU Member States and, once this procedure is completed, will go ahead with the adoption of the final adequacy decision.

Under the General Data Protection Regulation (“GDPR”), the adequacy decision is a tool that makes it possible to carry out international data transfers from the EU to third countries. This can happen if the Commission has decided that a third country, a territory or one or more specified sectors within that third country ensures an adequate level of protection ^[3]. This means that personal data can flow to a third country (i.e., outside the European Economic Area ^[4], without being subject to any further conditions or authorisations. However, this is subject to periodic review of adequacy decisions by the Commission. 

The Privacy Shield was declared invalid and it had caused considerable difficulties in transatlantic transfers and the contracting of service providers, such as cloud services. Now, the European Commission and the US government have started discussions on this new legal framework.

The draft reflects the concerns expressed in the Schrems II decision and it is intended to strengthen the protection of EU residents’ personal data. It is also intended to increase legal certainty regarding the contracting of service providers in the US.

Among other things, the draft decision (i) limits access to data by US intelligence services; (ii) strengthens oversight of US intelligence activities to ensure compliance with limitations on surveillance activities; and (iii) introduces an independent and impartial appeal mechanism to investigate and resolve complaints regarding access to its data for national security purposes. The draft adequacy decision concluded that the US ensures an adequate level of protection for personal data transferred from the EU to US companies ^[5].

As with the previous two rulings, this decision will not apply to all international transfers to the US. It will only apply to transfers to companies that are part of the EU-U.S. Data Privacy Framework and which are therefore bound to comply with the resulting obligations.

The adequacy decision is expected to be adopted in the first half of 2023. However, it is necessary to consider the importance and frequency of personal data transfers to the US, the time needed for US companies to obtain certification, and the uncertainty that has been associated with the issue. In view of this, it is recommended, for now, that companies commit to respecting the terms of the Commission's standard contractual clauses ^[6].

Standard contractual clauses, which companies can introduce in their commercial contracts, are the most commonly used mechanism for transferring data from the EU. They should be adopted, together with a review of the actual data transfer to check whether they are sufficient. It is also recommended that they be put in place by the time the new Adequacy Decision enters into force. The Schrems II judgment held that the standard contractual clauses must be accompanied by other measures and that signing them alone is not sufficient. It also held that exporters must analyse the legal system of the importer's country on a case-by-case basis to ascertain whether it is likely to undermine the guarantees contained in these clauses. Currently, and for transfers to the USA, this analysis may be based on the draft adequacy decision, insofar as it describes in detail the North American legal arrangements for access to data by intelligence services and government authorities (which was at the root of the declaration of invalidity of the Privacy Shield).

The European Commission, the supervisory authorities and the competent authorities of the US will carry out periodic reviews of this framework. The first such review will take place within one year of the entry into force of the adequacy decision.