The European Commission’s adequacy decision for the EU-US Data Privacy Framework (the ‘Framework’) still has a significant beneficial impact for companies even if they continue to rely on the EU Standard Contractual Clauses (‘SCCs’) for transatlantic data transfers instead of participating in the Framework due to the findings in the decision regarding updated US laws and practices.
The decision confirms that the EU Commission considers the designation of the EEA as a qualifying organisation under Executive Order 14086 in the US and safeguards put into place by respect to the collection of personal data by US intelligent agencies are sufficient to address concerns raised by the Court of Justice of the European Union (‘CJEU’) in Schrems II.
If companies continues to rely on SCCs for EU-US data transfers, TIAs will still be required but the Commission’s findings that it considers US surveillance laws to no longer be problematic means that companies can more confidently come to the same conclusion in their TIAs. The decision therefore makes it difficult to argue data transfers to the US based on the SCCs would not have a sufficient level of protection.
This is supported by the Commission’s answer in their Q&A on the decision regarding the impact on the possibility to use other tools for data transfers to the US. The Commission confirmed that safeguards put in place in the US in the area of national security apply to all data transfers under the GDPR to companies in the US, regardless of the mechanism used and the safeguards therefore “also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules”. This makes it clear that the adequacy decision applies beyond the Framework and also covers the SCCs so although the requirement of the TIA does not disappear, the assessments are simplified by being able to cross reference the adequacy decision.
In addition, the European Data Protection Board has published an information note on the decision where it “underlines” that all the safeguards put in place by the US apply to all data transferred to the US “regardless of the transfer tool used” which further strengthens the view that the Framework is significantly beneficial even if companies continue to rely on the EU SCCs.
Based on the guidance we have until now, there is also a reasonable argument to say that as the Commission considers US legislation and practices to no longer be a problem, supplementary measures are no longer necessary for transatlantic data transfers based on the SCC. The Norwegian Data Protection Authority has also stated that it considers the European Commission’s decision to confirm that supplementary measures are no longer necessary, showing that even relatively conservative DPAs may align to this approach.
It is important to note however that Schrems has, as expected, already spoken out in opposition of the adequacy decision. So, we do anticipate that a challenge against the decision will be initiated and should that legal challenge run its course, it’s conceivable that could result in the eventual invalidation of the decision, likely bringing us back to the same position companies were in prior to this adequacy decision. However, the fact that a challenge is possible or even likely to follow, does not itself negate the positive position that the decision affords to the use of SCCs. Indeed, that favourable position extends to Binding Corporate Rules too.
Furthermore, the adequacy decision does not apply to the UK and the UK and US governments still need to take formal steps to confirm that the Framework has been adopted as the basis for an adequacy decision under the UK GDPR. The latest development we have seen here was the announcement by the UK and US governments that the countries have committed in principle to establish a “data bridge” for the UK Extension to the Framework.
Regardless of their position on the Framework, companies should now update TIAs in light of the enhanced protections for personal data pursuant to the Executive Order and other updates to US laws.