US and EU officials have been negotiating a successor to the Privacy Shield since the Court of Justice of the European Union (“CJEU”) invalidated the adequacy decision in July 2020 in the widely reported Schrems II decision. It remains unclear when negotiations for Privacy Shield 2.0 will actually conclude. A senior US Commerce official said that the Administration was “almost done” in October 2021, but two months later EU Commissioner Didier Reynolds told Google that “outstanding issues still remain.” Assuming the negotiators resolve those issues and announce a “deal,” what comes next?
It is likely that officials would first announce an “agreement in principle” outlining key points. So, as the first order of business, officials on both sides must put in place all the necessary documentation to flesh out the agreed-upon principles. If the deal involves executive action on the US side—like an executive order or presidential directive—US officials will need to draft the appropriate document and circulate it to other agencies as part of the often extensive and time-consuming interagency coordination process for national security matters. Each US president establishes their own such process, the general parameters of which are laid out here for the current Administration.
This process may go more quickly given the likelihood that US officials have already engaged in extensive interagency deliberations to determine what positions to put forward. Even so, once a deal is reached between negotiators, additional work may well be needed to further document relevant details.
On the EU side, the European Commission (“EC”) must issue an adequacy decision pursuant to Article 45 of GDPR. To that end, the EC will need detailed documentation from the US laying out the measures being taken to address the issues raised in the Schrems II decision. The EC will then prepare and publish a draft decision.
Given the expectation that the future EU-US adequacy decision will once again come before the CJEU, it is reasonable to assume that the EC will go to considerable lengths to make its decision as comprehensive as possible. By way of comparison, the EC’s adequacy decision for the UK ran 93 pages, while that for South Korea ran 122 pages.
Once the draft adequacy decision is published, the next step lies with the European Data Protection Board (“EDPB”). Under Article 70 of GDPR, the EDPB will “provide the Commission with an opinion for the assessment of the adequacy of the level of protection.” EDPB opinions on adequacy decisions are not binding but persuasive. Note that in the PAB Resource Guide, we have links to the EDPB opinions on the draft adequacy decisions for the UK, South Korea and Japan.
In its opinion, the EDPB can ask the Commission to clarify certain issues or flag areas that it believes fall short of the rights guaranteed by EU law. It is impossible to know in advance what the EDPB will say, but some guideposts exist. For example, the EDPB’s predecessor, the Article 29 Data Protection Working Party, published in 2017 (further revised in 2018) an “Adequacy Referential” to provide the EC guidance “for the assessment of the level of data protection in third countries … by establishing the core data protection principles that have to be present in a third country legal framework … in order to ensure essential equivalence with the EU framework.” More recently, the EDPB updated that guidance when it issued the EDPB Recommendations 2/2020 on the European Essential Guarantees for surveillance measures. It is reasonable to assume that the EDPB’s opinion will seek to follow its own guidance.
After the EDPB provides its opinion, the EC determines whether and how to address any issues raised by the EDPB. Furthermore, Article 45(3) requires an examination process per Article 5 of EU Regulation No 182/2011, wherein a committee composed of representatives of the EU Member States provides a positive or negative opinion or no opinion at all on the draft adequacy decision to the EC. This is known as the “comitology procedure.” If the committee issues a negative opinion or a majority of members oppose the draft, the EC may not adopt the adequacy decision. However, the chair of the committee can submit the draft to an appeal committee for further deliberations. Additionally, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) issues a resolution evaluating the draft adequacy decision.
Depending on how the EDPB, comitology committee, and LIBE committee procedures go, the EC’s College of Commissioners then votes on the final adoption of the adequacy decision. Adequacy decisions adopted by the EC are published. After adopting an adequacy decision, the Commission is required to monitor relevant developments, at least every four years, to ensure that the country continues to provide an adequate level of data protection.
Privacy Across Borders is following EU-US negotiations closely. Stay tuned for new blog posts commenting on the future of EU-US data transfers.