There’s been a notable development since our October post (Third Time Lucky? Personal Data Transfers between the U.S., EU, UK). Here’s a quick update.
On December 13, 2022, the European Commission issued a draft adequacy decision (“Draft”), with Q&A, re certain EU-protected personal data transfers to the United States – to entities that self-certify under the (work-in-progress) EU-U.S. Data Privacy Framework (“DPF”).
A big deal? Yes. And not just in length. (Get ready to read 134 pages, albeit about half are Annexes).
A done deal? No. Before being finalized on the EU-side, the Draft must be considered by other stakeholders:
- European Data Protection Board
- EU Member States
- European Parliament
And then? Schrems III? If/once finalized, transfers under a new adequacy decision will be subject to scrutiny by the Court of Justice of the European Union (“CJEU”). The CJEU rejected prior trans-Atlantic data flow efforts. In noyb‘s initial response to the Draft , privacy activist Mr. Schrems (noyb‘s honorary chair) unsurprisingly anticipates the CJEU will again not be persuaded.
Meanwhile, on the other side of the pond …
On December 14, 2022, the Commerce Department issued a statement welcoming the Draft. In October, it indicated it would transmit “a series of letters from relevant U.S. government agencies and documents outlining the operation and enforcement of the EU-U.S. DPF.” Following through, the Draft’s Annexes include, per the U.S. Secretary of Commerce:
a package of EU-U.S. Data Privacy Framework materials that, combined with Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities” and 28 CFR part 201 amending Department of Justice regulations to establish the “Data Protection Review Court”, reflects important and detailed negotiations to strengthen privacy and civil liberties protections.
In addition to communications from the Commerce Department, including its International Trade Administration (which will administer the DPF), the Annexes include letters from the Federal Trade Commission, Department of Transportation, Office of the Director of National Intelligence, and the Department of Justice. The Commerce Secretary concluded:
[t]he full EU-U.S. Data Privacy Framework Package will be published on the Department’s Data Privacy Framework website and the Principles and Annex I of the Principles will be effective on the date of entry into force of the European Commission’s adequacy decision.
What do we do now, about contracts transferring EU-protected personal data to the U.S.?
To transfer EU-protected personal data to the U.S. (or other countries without adequacy status) now, or later to entities that don’t get certified to the DPF, contracting parties still need a cross-border transfer mechanism.
- For most commercial transactions involving EU-protected personal data, that means — the EU’s Standard Contractual Clauses (“SCCs”).
- Recall that December 27, 2022 is the deadline for transitioning existing processing to the 2021 modular versions of the SCCs. For a refresher, and link to the SCCs (and the European Commission’s SCC Q&A), see our short blog here. (Don’t forget the warranties – or to conduct and document your transfer impact assessment).
Looking to learn about information technology contracts? Tech Contracts Academy offers public and in-house trainings.
© 2022 by Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock images.