The European Commission recently published its draft EU-US Data Privacy Framework adequacy decision.
If approved, the adequacy decision will make it easier for U.S. colleges and universities to transfer GDPR Personal Data to U.S.-based partners and service providers.
On December 12, the European Commission published its draft EU-US Data Privacy Framework adequacy decision, which, if approved, will allow unrestricted European Union (EU) General Data Protection Regulation (GDPR) cross-border transfers to U.S. organizations that obtain certification under the new EU-US data flow framework, the “EU-US Data Privacy Framework” (EU-US DPF). While EU-US DPF certification eligibility generally extends only to for-profit organizations, non-profit colleges and universities may nevertheless ease their GDPR compliance burdens by choosing to work with vendors that have obtained EU-US DPF certification.
GDPR Cross-Border Transfer Requirements
Under GDPR Chapter 5, any time personal data subject to the GDPR (Personal Data) is transferred outside the EU, including when it is transferred from one U.S. organization to another organization within the U.S. (e.g., when a U.S. college or university uploads Personal Data to a U.S.-based cloud storage service provider), the transfer must be performed in accordance with one of the cross-border transfer safeguards provided under GDPR Chapter 5, such as the European Commission’s standard contractual clauses (SCCs), binding corporate rules, or an adequacy decision. An adequacy decision, which EU regulatory authorities issue on a country-by-country basis upon determining that a country’s local laws provide sufficient data privacy protection, allows a U.S. college or university to transfer Personal Data to an organization outside the EU unrestricted by any of the other, more burdensome Chapter 5 safeguards if the receiving organization is subject to the adequacy decision (e.g., if approved, the EU-US DPF adequacy decision will allow transfers to U.S. organizations certified under the EU-US DPF without implementing any other Chapter 5 safeguards, such as SCCs).
While U.S. colleges and universities are free to choose which Chapter 5 safeguard they rely upon when transferring Personal Data outside the EU, most Chapter 5 safeguards are impractical or impossible to implement in GDPR cross-border transfers to/from U.S. colleges or universities. Aside from adequacy decisions, the SCCs are one of the few feasible Chapter 5 safeguards available to U.S. colleges and universities. When a U.S. college or university transfers Personal Data to an organization outside the EU, if the organization is not covered by a GDPR adequacy decision, then the U.S. college or university typically is left with no choice but to execute the complicated, 35-page SCCs with the receiving organization to fulfill Chapter 5 requirements. When a U.S. college or university is on the receiving side of a GDPR cross-border transfer, it almost always must rely upon the SCCs as its Chapter 5 safeguard since U.S. colleges and universities are not covered by a GDPR adequacy decision.
Former EU-US Privacy Shield Adequacy Decision
Data privacy enthusiasts may feel a sense of déjà vu, recalling the EU-US adequacy decision that EU regulatory authorities issued not long ago on July 12, 2016. This decision previously allowed a U.S. college or university to transfer Personal Data to an organization outside the EU, unrestricted by any of the other Chapter 5 safeguards, if the organization was certified under the former EU-US data flow framework, the EU-US Privacy Shield. However, just four years later, on July 16, 2020, the Court of Justice of the European Union invalidated the 2106 adequacy decision, in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), on the basis that EU-US Privacy Shield certification did not ensure an adequate level of Personal Data privacy protection. In its decision, the Court emphasized that the EU-US Privacy Shield failed to protect Personal Data from U.S. public authorities’ extensive powers to access and use Personal Data for broadly stated national security purposes.
New EU-US Data Privacy Framework
In response to the invalidation of the 2016 adequacy decision based on the EU-US Privacy Shield, on March 25, 2022, the President of the European Commission and President Biden reached an agreement in principle on a new EU-US data flow framework, the EU-US DPF. The EU-US DPF attempts to address the issues identified in Schrems II by limiting the powers of U.S. public authorities to access and use Personal Data for national security purposes.
President Biden swiftly initiated implementation of the EU-US DPF on October 7, 2022 through Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities, and on October 14, the U.S. Attorney General completed the implementation by promulgating a rule pursuant to Executive Order 14086 to establish a new Data Protection Review Court. Apparently satisfied by the implementation of the EU-US DPF, on December 12 the European Commission published a draft adequacy decision based on the EU-US DPF.
How U.S. IHEs May Benefit from the Adequacy Decision
If approved, the adequacy decision will allow U.S. colleges and universities to transfer Personal Data to other U.S. organizations that obtain certification under the EU-US DPF without needing to implement any additional Chapter 5 safeguards, such as SCCs. For example, when a U.S. college or university uses a U.S.-based service provider to process Personal Data during its regular course of business, GDPR Chapter 5 would allow the college or university to engage the service provider without executing any SCCs if the service provider has obtained certification under the EU-US DPF. If a service provider does not obtain certification, then the U.S. college or university would need to continue to rely upon SCCs to engage the service provider in order to comply with GDPR Chapter 5.
In contrast, even if the adequacy decision is approved it will have no effect on transfers to non-profit U.S. colleges and universities since non-profit institutions are not eligible to obtain certification under the EU-US DPF. Non-profit U.S. colleges and universities will therefore likely continue to receive requests to execute SCCs from organizations that transfer Personal Data to non-profit U.S. colleges and universities.
In sum, while the adequacy decision has the potential to free up Personal Data transfers from non-profit U.S. colleges or universities, it will have no effect on transfers to non-profit U.S. colleges or universities.
What to Expect Next
Following the publishing of the European Commission’s draft adequacy decision, the European Data Protection Board, which is composed of representatives of the EU national data protection authorities and the European Data Protection Supervisor, will issue an opinion on the draft decision. Representatives from EU Member Nations will then consider the opinion and approve or deny the draft decision. If approved, the adequacy decision will become effective upon adoption by the European Commission, which is expected to occur by June 2023.
However, at any time before or after final approval of the adequacy decision, the European Parliament and the Council of the EU may order amendment or withdrawal of the decision on the grounds that the decision exceeds the European Commission’s authority under the GDPR. Furthermore, even if the adequacy decision is approved, the Court of Justice of the European Union could nevertheless invalidate the decision on the grounds that the EU-US DPF does not sufficiently address the Court’s concerns that lead to invalidation of the 2016 adequacy decision in Schrems II. Data privacy experts are not in total agreement on whether this will happen, and some believe invalidation is likely because, in their view, the EU-US DPF does not go far enough in limiting the powers of U.S. public authorities to access and use Personal Data for national security purposes.
Recommendations for U.S. IHEs
U.S. colleges and universities should pay careful attention throughout the upcoming months to see if the European Data Protection Board, EU Member Nations, and European Commission ultimately approve the draft EU-US DPF adequacy decision.
In the meantime, U.S. colleges and universities should perform data mapping to determine what, if any, Personal Data they share with U.S.-based partners or service providers, and identify which contracts contain SCCs.
If the EU-US DPF adequacy decision is approved, U.S. colleges and universities should:
Work with partners and service providers to determine whether they have obtained EU-US DPF certification and, if so, whether SCCs can be removed from their contracts in light of the certification and adequacy decision;
Develop procurement and vendor due diligence processes to effectuate a preference for partners and vendors that have obtained EU-US DPF certification; and
Carefully follow any decisions of the Court of Justice of the European Union related to the validity of the EU-US DPF adequacy decision.