Bumps in the Road for a US Adequacy Decision Under GDPR
As discussed in a prior post on this blog, electronic discovery that requires the processing and use of records and information that includes the personal data of individuals residing in the and the European Economic Area (“EEA”) must often incorporate measures to allow for compliance with the European Union’s General Data Protection Regulation (“GDPR”), which contains a number of requirements and limitations regarding the processing of such personal data and its transfer to countries outside the EEA.
In particular, Article 45 of GDPR forbids the transfer of the personal data of EEA residents (described as “data subjects”) to any country outside of the EEA unless (i) the EU determines that the country’s legal privacy frameworks and practices ensure an adequate level of protection for data subjects’ personal data (termed an “adequacy decision”), or (ii) one or more safeguards deemed appropriate by the EU are imposed on the cross-border data transfer. Because the United States lacks an adequacy decision, cross-border transfers of personal data of EEA data subjects must such safeguards (or, alternatively, a derogation defined by Article 49 of GDPR).
On December 13, 2022, an important step was taken toward an adequacy decision for the United States when the European Commission published its draft adequacy decision, which was based largely on President Biden’s October 7 2022 Executive Order 14086 on Enhancing Safeguards For United States Signals Intelligence Activities (the “EO”). The EO commits to changes to its foreign intelligence agencies’ access to personal data and the creation of a new system through which EU data subjects can seek redress for the infringement of their data privacy rights in the United States.
However, on February 14, 2023, the European Parliament Committee on Civil Liberties, Justice and Home Affairs issued a draft opinion on the proposed adequacy decision. The opinion identifies multiple concerns with the EO, including (i) its definitions of proportionality and necessity, (ii) its lack of a prohibition on bulk data collection by signals intelligence (and the ability of the US President to expand the list of relevant national security objectives, (iii) its inapplicability to “data accessed by public authorities via other means, for example through the US Cloud Act or the US Patriot Act, by commercial data purchases, or by voluntary data sharing agreements,” (iv) its lack of provisions for notification of data subjects that their information has been processed, (v) its insufficient remedies for commercial matters, (vi) its lack of an appeal avenue in federal court (and the resultant inability for the subject to claim damages) , and (vii) its failure to provide a redress system that meets “the standards of independence and impartiality of Article 47 of the Charter [of Fundamental Rights of The European Union].” Additional concerns over the lack of federal privacy and data protection legislation in the United States and the mutability of the EO (including the lack of a sunset clause and the ability for any United States President to modify it in the future) led the European Parliament Committee on Civil Liberties, Justice and Home Affairs to urge the European Commission to refrain from adoption of the adequacy finding.
While this draft opinion is not binding on the European Commission’s ultimate decision on whether to adopt the final adequacy decision for the United States, it will be influential in further considerations of the adequacy decision. The draft opinion is available at this link.