Transatlantic retail industry views on preliminary adequacy decision of European Commission regarding EU-U.S. Data Privacy Framework
Position paper - Digital, Technology & Payments
12 April 2023
On 12 December 2022, EuroCommerce and the National Retail Federation (NRF) welcomed the European Commission’s preliminary decision[1] that the EU-U.S. Data Privacy Framework (DPF) provides adequate protections for European citizens required under EU law. We said then that we would provide further analysis ahead of final approval of the adequacy decision in 2023. This paper provides that analysis.
We believe that the DPF represents a clear improvement over the EU-U.S. Privacy Shield program and framework for individuals and businesses. Following more than two years of uncertainty and disruption, it would facilitate responsible transatlantic transfers of personal data. Retailers that operate storefronts in Europe or sell goods online to Europeans need to work under a reliable and legally valid transfer mechanism between the EU and U.S. that allows them to serve their customers in the EU while maintaining the highest data protection standards for all individuals involved.
The preliminary adequacy decision explains why the European Commission believes the DPF and legal steps taken by the U.S. under the Executive Order 14086 signed by President Biden on 7 October 2022, including the accompanying regulations promulgated that date by the U.S. Department of Justice, are adequate to comply with EU data protection law and should be approved.
Since 2016, NRF and EuroCommerce have maintained continuous cooperation on EU data privacy regulations, holding annual joint meetings with EU officials with the goal of developing approaches to safeguard consumers while fostering regulatory certainty for transatlantic retailers. As part of our joint efforts, we have analysed the European Commission’s draft adequacy decision and present in this paper our key findings.
Based on the legal analysis provided in the Appendix, EuroCommerce and NRF make the following key findings and recommendations regarding the adequacy decision:
Key findings and recommendations- We urge relevant institutions on both sides of the Atlantic to swiftly adopt, implement, and apply a framework that ensures legal certainty and provides a durable, long-term mechanism for safeguarding EU-U.S. data flows.
- The current requirements to implement Standard Contractual Clauses (SCCs) and the EDPB’s recommendations on supplementary measures to be taken by businesses before transferring personal data to the U.S., in particular the requirement to assess the U.S. laws, court systems, and legal structure to ensure an adequate level of protection, create high costs and legal uncertainty for retail SMEs operating in the EU, making it difficult to effectively compete.
- The draft adequacy decision of the European Commission supports the intention to bring closure to these concerns in favor of European individuals who will benefit from improvements as regards necessity and proportionality of government access, as well as redress in this area, in line with the requirements of the Court of Justice.
- By resolving the issues associated with transatlantic data transfers through adoption of the DPF, retailers may benefit their customers by allocating more of their limited resources toward other critical activities to protect the privacy and security of consumers’ personal data, such as:
- fortifying online systems’ defenses against cyber-attacks;
- investing in further advanced training of personnel; and
- assessing, monitoring, and mitigating privacy and security risks from service providers’ processing of retail customer’s personal data in the context of rapidly evolving cybersecurity threat
- EuroCommerce and NRF consider that the DPF would provide adequate protections for EU citizens and improve the framework for retailers operating in the EU, as compared to the previous Privacy Shield framework and alternative transfer tools that led to associated legal uncertainties, for the following reasons that are all further discussed in greater detail in the legal analysis that follows in the Appendix:
- The DPF introduces concepts of necessity and proportionality with regard to U.S. intelligence-gathering of individual’s personal data;
- The U.S. legal system authorizes the creation of administrative tribunals, like the Data Protection Review Court (DPRC), which is the mechanism adopted to meet the CJEU requirements for a redress mechanism for handling complaints of EU individuals implicating matters of U.S. national security;
- The DPRC is empowered within the U.S. legal system to be competently comprised of qualified judges to exercise independent authority to issue final and binding decisions directing remedial measures to be undertaken by U.S. intelligence agencies;
- The DPRC meets the CJEU’s requirements of providing adequate and effective redress, including through the establishment of a two-tiered redress mechanism;
- In light of the decades of collaboration between the EU and U.S. in an effort to establish a legally valid and durable mechanism for EU-U.S. data transfers, we believe the U.S. is committed to a long-term durable agreement and it is unlikely that the Executive Order or regulations establishing the DPRC will be repealed or modified; and
- The DPF provides more adequate protection for Europeans under EU law than the former Privacy Shield framework.
- Because the entry into force of the European Commission’s adequacy decision is conditional upon full implementation of the Executive Order and regulations by all relevant U.S. agencies and availability of the redress mechanism for EU individuals, EuroCommerce and NRF look forward to the adoption of the final adequacy decision, including any modifications the Commission finds necessary to address the views of other EU institutions including the Council, European Parliament, and European Data Protection Board.