On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.
On Thursday, January 9, 2020, members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC’s 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?
Under the EU General Data Protection Regulation (GDPR), transfers of personal data are permitted to third countries or international organizations that ensure an adequate level of protection. This includes cases where the EC has determined, on the basis of GDPR article 45, that a country outside the EU offers an adequate level of data protection, and adopts an adequacy decision in respect of that third country. To date, the EU has not granted the U.S. an adequacy decision.
Although the U.S. has not passed a comprehensive federal-level data protection law (instead maintaining a patchwork of sector-specific laws), California became the first state to do so with the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. The CCPA is a generally applicable and comprehensive law applicable to most for-profit businesses that operate in the state of California and collect personal information from California residents. This is a significant piece of legislation governing not only many of the world’s major tech companies, a number of which are headquartered in California, but also most businesses that maintain an online presence in California.
What was discussed at the LIBE meeting?
- In view of the uncertainty and potential strike down of the current legality of EU-U.S. data transfers (such as through standard contractual clauses) under the pending Schrems II litigation (see our post on this here), it was suggested during the meeting of January 9, 2020 that a U.S. state such as California could apply for an adequacy decision as a single state. In principle, this is possible: GDPR articles 45(1) and 45(3) provide that a third country or a territory within that third country can be recognized as adequate under the GDPR.
- Bruno Gencarelli, head of the EC’s International Data Flows and Protection Unit, mentioned that in the event that the Court of Justice of the European Union invalidates EU-U.S. data transfers, recognition can serve as a long-term and stable solution as opposed to frameworks like the Privacy Shield.
- The meeting also discussed other issues, such as whether the EC has any existing measures to address the strike down of the Privacy Shield being considered in Schrems II; the lack of progress by the U.S. administration and, in particular, the capabilities of the newly-appointed Ombudsman; as well as the inability of the Privacy Shield review team to progress its review of the framework given national security concerns cited by the U.S. administration.
In its recitals, the GDPR states that this “carving out” approach to determining adequacy is applicable to a third country, a territory, or (even) a specified sector within a third country. Although the meeting did not specifically analyze the adequacy of Californian law or the applicability and implementation of this idea, we suspect this could be a problematic exercise – similar concerns posed by the Privacy Shield would still apply. However, as California moves toward stricter privacy regulations, and other states such as Nevada, Maine, New York and Washington have enacted or are considering similar consumer data privacy laws, the determination of whether or not California could achieve adequacy as a state has potentially far-reaching implications.
Furthermore, GDPR recital 104 draws attention to the need for the third country to ensure “effective independent data protection supervision” and “cooperation mechanisms” to allow cooperation with EU member states’ data protection authorities, as well as “effective and enforceable rights and effective administrative and judicial redress” for data subjects. If California were to submit a proposal for an adequacy decision, an extensive transatlantic review of the CCPA by the EC would be necessary. There would also be constitutional powers questions for California to resolve before submitting such a proposal: Can California do so legally in its own capacity, and would any federal approvals be required? Would California need to create its own data protection supervisory authority to provide oversight, rather than relying on its current enforcement mechanism through the California attorney general? What about conflicts of law issues between the GDPR, the CCPA and domestic U.S. laws?
Until such questions are answered, it is unlikely that an adequacy finding application would provide much hope for data transfers between the EU and California (or any other U.S. state) in the event that an adverse outcome of the Schrems II litigation is reached. While state adequacy is academically possible under the GDPR’s provisions, there are many hurdles to overcome before it becomes viable or realistic. As always, we are monitoring closely, so please check back in.