The European Commission recently adopted its EU-US Data Privacy Framework adequacy decision.
The adequacy decision will make it easier for U.S. colleges and universities to transfer GDPR Personal Data from an EU establishment to U.S.-based partners and service providers.
Data privacy activists plan to challenge the adequacy decision by the beginning of 2024.
On July 10, the European Commission adopted its EU-US Data Privacy Framework adequacy decision, which allows unrestricted European Union (EU) General Data Protection Regulation (GDPR) cross-border transfers from an EU establishment to U.S. organizations that obtain certification under the new EU-US data flow framework, the “EU-US Data Privacy Framework” (EU-US DPF). While EU-US DPF certification eligibility generally extends only to for-profit organizations, non-profit colleges and universities may nevertheless ease their GDPR compliance burdens by choosing to work with vendors that have obtained EU-US DPF certification. However, colleges and universities relying on the adequacy decision should carefully monitor judicial challenges expected to be brought by the beginning of 2024, which may invalidate the adequacy decision.
GDPR Cross-Border Transfer Requirements
Under GDPR Chapter 5, any time personal data subject to the GDPR (Personal Data) is transferred outside the EU, including when it is transferred from one U.S. organization to another organization within the U.S. (e.g., when a U.S. college or university uploads Personal Data to a U.S.-based cloud storage service provider), the transfer must be performed in accordance with one of the cross-border transfer safeguards provided under GDPR Chapter 5, such as the European Commission’s standard contractual clauses (SCCs), binding corporate rules, or an adequacy decision.
An adequacy decision, which EU regulatory authorities issue on a country-by-country basis upon determining that a country’s local laws provide sufficient data privacy protection, allows a U.S. college or university to transfer Personal Data to an organization outside the EU unrestricted by any of the other, more burdensome Chapter 5 safeguards if the receiving organization is subject to the adequacy decision (e.g., the EU-US DPF adequacy decision allows transfers from EU establishments to U.S. organizations certified under the EU-US DPF without implementing any other Chapter 5 safeguards, such as SCCs).
While U.S. colleges and universities are free to choose which Chapter 5 safeguard they rely upon when transferring Personal Data outside the EU, most Chapter 5 safeguards are impractical or impossible to implement in GDPR cross-border transfers to/from U.S. colleges or universities. Aside from adequacy decisions, the SCCs are one of the few feasible Chapter 5 safeguards available to U.S. colleges and universities. When a U.S. college or university transfers Personal Data to an organization outside the EU, if the organization is not covered by a GDPR adequacy decision, then the U.S. college or university typically is left with no choice but to execute the complicated, 35-page SCCs with the receiving organization to fulfill Chapter 5 requirements. When a non-profit U.S. college or university is on the receiving side of a GDPR cross-border transfer, it almost always must rely upon the SCCs as its Chapter 5 safeguard since U.S. colleges and universities are not covered by a GDPR adequacy decision.
How U.S. IHEs May Benefit from the Adequacy Decision
The adequacy decision allows U.S. colleges and universities to transfer Personal Data from their EU establishments to other U.S. organizations that obtain certification under the EU-US DPF without needing to implement any additional Chapter 5 safeguards, such as SCCs. For example, when a U.S. college or university uses a U.S.-based service provider to process Personal Data during its regular course of business, GDPR Chapter 5 would allow the college or university to transfer (or otherwise allow access to) Personal Data from the EU to the service provider without executing any SCCs if the U.S. institution has an establishment in the EU (or “stable arrangements” in the EU, such as a campus, office, or ongoing academic or research collaboration with an EU partner institution) and the service provider has obtained certification under the EU-US DPF. If a service provider does not obtain certification, then the U.S. college or university would need to continue to rely upon SCCs to transfer Personal Data from the EU to the service provider in order to comply with GDPR Chapter 5.
Crucially, a brief information note from EU regulatory authorities clarifies that even if a service provider has obtained certification under the EU-US DPF, the EU-US DPF does not cover any transfers from U.S. colleges and universities unless they have an establishment or stable arrangements in the EU. Therefore, U.S. colleges and universities that do not have an establishment or stable arrangements in the EU and are subject to the GDPR solely by virtue of its extraterritorial application must continue to execute SCCs or implement other Chapter 5 safeguards to comply with the GDPR, even with respect to transfers to service providers that are certified under the EU-US DPF.
The adequacy decision likewise has no effect on transfers to non-profit U.S. colleges and universities since non-profit institutions are not eligible to obtain certification under the EU-US DPF. Non-profit U.S. colleges and universities will therefore likely continue to receive requests to execute SCCs from organizations that transfer Personal Data to non-profit U.S. colleges and universities.
In sum, while the adequacy decision has the potential to free up Personal Data transfers from non-profit U.S. colleges or universitiewith establishments or stable arrangements in the EU, it has no effect on transfers to non-profit U.S. colleges or universities.
Schrems III Incoming
Don’t pop the champagne yet. Although the adequacy decision has been adopted, the Court of Justice of the European Union could nevertheless invalidate the decision on the grounds that the EU-US DPF does not sufficiently address the Court’s concerns that lead to the invalidation of the former EU-US Privacy Shield and 2016 adequacy decision in Schrems II (discussed in greater detail in our XL Insights+ January 16, 2023 article on this topic).
In fact, Max Schrems (that’s right—the Schrems of Schrems II) has already strongly condemned the European Commission, the adoption decision, and the EU-US DPF:
“They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission's problem. . . . The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it.”
Furthermore, Schrems has announced his plans to challenge the decision by the beginning of 2024, with a final judicial decision expected by late 2024 or early 2025, and he has astutely observed that the Court of Justice of the European Union may suspend the adequacy decision while it is under review:
“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not.”
Recommendations for U.S. IHEs
Work with partners and service providers to determine whether they have obtained EU-US DPF certification and, if so, whether SCCs can be removed from their contracts in light of the certification and adequacy decision but have a backup plan in place in the event that the EU-US DPF is invalidated.
Develop procurement and vendor due diligence processes to effectuate a preference for partners and vendors that have obtained EU-US DPF certification; and
Carefully follow any decisions of the Court of Justice of the European Union related to the validity of the EU-US DPF adequacy decision, keeping in mind that judicial challenges are expected no later than the beginning of 2024 and that the Court may suspend the EU-US.