Breaking Boundaries: US Adequacy Standing & The Impact on Your Business

Written By Lauren Preston

The EU-US Data Flow History

You may have seen your LinkedIn explode with the news of the EU-US Adequacy Decision. Most companies know the history that led to the restriction of EU data flow into the US with flares of Meta and Microsoft and other big tech companies under the microscope for their data transfer practices. In case you don’t know what we are talking about or need some digestible bites of information, let’s review the history. The US lacked an adequacy standing in the eyes of the European Commission ("EC") with a few unsuccessful attempts to remedy the situation. In other words, the EC did not believe that the US had the same level of protection for personal data as the GDPR. Lucky for us Canadians, we have received the stamp of approval from the EC and Canada does have an adequacy standing. A lack of adequacy standing has made it difficult to transfer EU data to the US. Interestingly though, many companies continued to do so as the cost and efficiency seem to outweigh the risks. 

For the most part, all this controversy started in 2013 when Maximillian Schrems started his series of complaints, first against the Safe Harbor framework and then against the Privacy Shield. The Court of Justice of the European Union ("CJEU") declared that the Safe Harbor framework did not provide the adequate protection of personal information it expects. The key issues identified were based on the access that the US government had to data on a "generalized basis" and the lack of individual rights given to data subjects. 

Once the Safe Harbor framework was deemed invalid, the Privacy Shield was developed as an attempted fix. In July 2020 the CJEU then declared the EU-US Privacy Shield invalid on the back of the Schrems II decision. The decision was based on similar reasons identified in Schrems I and which resulted in the Safe Harbor invalidation. As a result, companies were once again left without any mechanism to safely transfer EU data to the US. In essence, the numerous businesses that were transferring data on the basis of the Safe Harbor framework and then the Privacy-Shield protection were left to now do so "against the law". Not only was this completely impractical but left businesses with no alternative. 

Once Schrems II was in effect, we saw the uptake in Standard Contractual Clause (SCCs), supplementary measures, and Transfer Impact Assessments (TIAs), which were used as other transfer tools mentioned under Article 46 GDPR. These are all mechanisms that are laborious and costly and were still criticized in subsequent decisions by the EC as not always good enough. Seemingly the expectation was that EU data should not enter the US under any circumstances and each jurisdiction should function in a vacuum. 

The new Schrems II era made the transfer of EU personal data to the US a very costly and time-consuming endeavour. This was particularly so for small and medium businesses that had a limited privacy budget and resources. 

 

July 10th Adequacy Decision

We now see a glimmer of hope for businesses collecting and/or processing EU data in the US (even if via a US vendor). While this decision mostly impacts US businesses, Canadian businesses are also positively impacted by the decision as many Canadian businesses transfer EU data to US vendors, which before the decision was a costly and risky endeavour to partake in.

On July 10, 2023, the EC declared that the US has met an adequacy standing and seemingly the criticisms raised in Schrems I and II have been remedied. This ground-breaking decision once again allows for the protected free flow of EU personal data to the US without the need for additional risk and impact assessments (E.g. TIAs etc) as long as the certification required under the Framework is valid and the safeguards highlighted by the EC have been adhered to. In other words, the EC concluded that the US has an adequate level of protection for EU personal data to be transferred to the US so long as the US company collecting or processing EU personal data participates and is certified by the EU-U.S. Data Privacy Framework ("Framework").

EU-US Data Privacy Framework

Companies in the US can join the Framework by committing to comply with a detailed set of privacy obligations. The US company must self-certify and annually re-certify its participation. Once the company is placed on the Framework list by the US Department of Commerce ("DoC"), the company is then entitled to rely on a transfer under the Framework. The DoC has the power to assess whether companies meet the requirements of the certification and can conduct "spot checks" of randomly selected companies or where they are made aware of possible indiscretions. 

The new Framework implements new binding safeguards, which addresses many of the concerns raised by the CJEU. The Framework also addresses redress available to data subjects should a company not comply with the Framework. While there are many safeguards addressed in the Framework, the noteworthy ones include:

Delete personal data when it is no longer necessary for the purpose for which it was collected.

  • Ensure continuity of protection when personal data is shared with third parties.

  • Limit access of EU data to US intelligence services to what is necessary and proportionate (to support this decision - US President Biden issued a series of Executive Orders along with regulations by the Attorney General to support the undertakings provided in the agreement and Framework).

  • Introduction of a new two-tier redress system to investigate and resolve complaints of EU data subjects regarding access to data by US Intelligence authorities, which includes a Data Protection Review Court as the second layer. 

  • The establishment of a Data Protection Review Court ("DPRC") that EU data subjects can access and appeal to. If the DPRC determines that data was collected in violation of the safeguards, it can order the deletion of the data. The DPRC is also composed of members from outside the US Government who are appointed based on specific qualifications.

  • Implement safeguards to facilitate transatlantic data flows more generally which apply in addition to standard contractual clauses and binding corporate rules.

  • Submit to the investigatory and enforcement powers of the Federal Trade Commission ("FTC") or the U.S. Department of Transportation ("DoT").

  • Publicly declare commitment to comply with the Framework and make privacy policies available and fully implement them.

The Framework will be subject to periodic reviews to be carried out by the EC, together with representatives of European data protection authorities and competent US authorities. Furthermore, the EC points out that enforcement of the principles in the Framework will be stronger and stricter than it was under the Privacy Shield. 

Consistent with the EU-US goal of enhancing privacy protection, companies should strive to implement the Framework fully and transparently. This includes ensuring their privacy notice is up to date. US companies will now be expected to opt for higher protection where possible.

Actionable Take-Aways

US companies should seek to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations and additional safeguards (other than what is provided in GDPR). This facilitates a competitive digital economy and economic cooperation as well as allows the safe continuous flow of data which is said to underpin 900 Billion Euro commerce every year. 

The Executive Order ("EO") 14086 on Enhancing Safeguards for United States Signals Intelligence, which was issued by the US President, sets limitations and safeguards for all U.S. signals intelligence activities, which if you recall was the main issue of debate by Schrems I and II. This EO strengthens the conditions, limitations and safeguards that apply to all signals intelligence activities, regardless of where they take place. The limitations, safeguards and redress mechanisms established by the EO are essential elements of the Framework. 

Some of the principles of the Framework include:

  1. Notice – a long list of items generally found in a Privacy Notice including the company’s participation in the Framework

  2. Choice – individuals choice on the purpose of processing as well as how the company should manage their data and where the data can be transferred

  3. Accountability for onward transfer 

  4. Security

  5. Data Integrity and purpose limitation

  6. Access

  7. Recourse, enforcement and liability

  8. Supplementary principles such as how to manage sensitive data; due diligence and audits; undertakings in relation to the Data Protection Authorities; additional measures on access; HR-related data; obligatory contracts for onward transfers (regardless of participation by the processor in the Framework); and other miscellaneous matters. 

What’s Next?

As many companies in Canada and the EEA are already transferring EU personal information into the US (as businesses have continued to function under the risk), the decision comes with a huge relief. That being said, both Canadian and EU companies should ensure that any EU personal information being transferred into the US is done under the condition of the certification and compliance with the EU-US Data Privacy Framework, implementation of the additional safeguards, as indicated by the EC, and not to forget the SCCs. A company certified under the Framework is still required to act in accordance with the remaining principles in the GDPR and where there is a transfer (irrespective of the mechanism), SCCs are still required. 

There are many professionals advising companies to hang in there and wait to see what transpires as this will no doubt be overturned. But to what end? Why take the risk as we are inevitably all heading towards the GDPR standard and many countries have already started to rely on GDPR as the basis of their privacy laws looking at California’s CCPA and Quebec’s Law 25. Any review of the EU-US Adequacy Decision is a significant period away so in the interim companies can enjoy the relief that the adequacy decision has provided. Whether or not a company is certified does not in itself dictate the safe transfer of data between the EU and the US. The mechanisms that the US government has put in place are in effect for any data transferred from the EU to the US (whatever the mechanism may be and whether or not certification has been provided). The ultimate goal was the limitation of access by US authorities and this has been achieved by the Executive Orders. The Adequacy Decision is just a really great by-product. What the Framework and certification seek to achieve, is to whittle down the due diligence process and having to ensure that a company is compliant with GDPR principles as the certification is a public statement by the US company saying "yes we comply with the Framework and in essence GDPR so look no further". It’s the stamp of approval. Without the certification however, TIAs and full due diligence (and risk assessment) on the technical and organizational measures implemented by the US company would be required as well as the SCCs and some additional contractual principles and undertakings. It would also be prudent for companies to ensure that the US company at least agrees to the supplementary measures indicated in the Framework.

Lauren Preston
Previous

Help Clients Help Themselves: Privacy and Security in On-Premises Deployments
Next

Ready. Set. ISO!