On December 13, 2022, the European Commission issued a draft adequacy decision (“Draft”), with Q&A, re certain EU-protected personal data transfers to the United States – to entities that self-certify under the (work-in-progress) EU-U.S. Data Privacy Framework (“DPF”).
A big deal? Yes. And not just in length. (Get ready to read 134 pages, albeit about half are Annexes).
A done deal? No. Before being finalized on the EU-side, the Draft must be considered by other stakeholders:
European Data Protection Board
EU Member States
European Parliament
And then? Schrems III? If/once finalized, transfers under a new adequacy decision will be subject to scrutiny by the Court of Justice of the European Union (“CJEU”). The CJEU rejected prior trans-Atlantic data flow efforts. In noyb‘s initial response to the Draft , privacy activist Mr. Schrems (noyb‘s honorary chair) unsurprisingly anticipates the CJEU will again not be persuaded.
Stay tuned.
US
Meanwhile, on the other side of the pond …
On December 14, 2022, the Commerce Department issued a statement welcoming the Draft. In October, it indicated it would transmit “a series of letters from relevant U.S. government agencies and documents outlining the operation and enforcement of the EU-U.S. DPF.” Following through, the Draft’s Annexes include, per the U.S. Secretary of Commerce:
a package of EU-U.S. Data Privacy Framework materials that, combined with Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities” and 28 CFR part 201 amending Department of Justice regulations to establish the “Data Protection Review Court”, reflects important and detailed negotiations to strengthen privacy and civil liberties protections.
In addition to communications from the Commerce Department, including its International Trade Administration (which will administer the DPF), the Annexes include letters from the Federal Trade Commission, Department of Transportation, Office of the Director of National Intelligence, and the Department of Justice. The Commerce Secretary concluded:
[t]he full EU-U.S. Data Privacy Framework Package will be published on the Department’s Data Privacy Framework website and the Principles and Annex I of the Principles will be effective on the date of entry into force of the European Commission’s adequacy decision.
What do we do now, about contracts transferring EU-protected personal data to the U.S.?
To transfer EU-protected personal data to the U.S. (or other countries without adequacy status) now, or later to entities that don’t get certified to the DPF, contracting parties still need a cross-border transfer mechanism.
For most commercial transactions involving EU-protected personal data, that means — the EU’s Standard Contractual Clauses (“SCCs”).
Recall that December 27, 2022 is the deadline for transitioning existing processing to the 2021 modular versions of the SCCs. For a refresher, and link to the SCCs (and the European Commission’s SCC Q&A), see our short blog here. (Don’t forget the warranties – or to conduct and document your transfer impact assessment).
Looking to learn about information technology contracts? Tech Contracts Academy offers public and in-house trainings.
Live webinars from Tech Contracts Academy return this fall, ranging from one to eight hours. Join David Tollen, our founder — your teacher, and improve
This week’s unsolicited advice on contracts … Here’s a proposition: we should NOT seek shorter or simpler contracts where those goals contradict our higher priority:
The very public argument between CrowdStrike and Delta Air Lines offers a window into a topic few understand: the exclusion of consequential damages in typical
Our website uses cookies. If you click “Deny” or don’t respond, our system will ask your browser not to accept tracking or statistics-collecting cookies from our site, but not functional cookies. You may still receive script other technologies that Google Analytics or our other vendors use for anonymous tracking and statistics collection. For further information, please see our Cookie Policy per the link below.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.