The new EU-US Data Privacy Framework
On 10 July 2023, the European Commission adopted its long-awaited adequacy decision on data transfers under the EU-US Data Privacy Framework (“DPF”), having concluded that the US ensures an adequate level of data protection - comparable to that of the EU - for personal data transferred to US organisations participating in the framework. The DFP creates a lawful transatlantic framework that allows the free flow of data from the EU to DPF-certified companies located in the United States. Under Article 45 of the General Data Protection Regulation (“GDPR”), data transfers covered by the scope of such adequacy decision are permitted without further legal safeguards being necessary (e.g., the European Commission’s standard contractual clauses (“SCCs”), binding corporate rules, industry-specific codes of conduct) to ensure that personal data continues to be protected under the GDPR.
The adequacy decision is the result of extensive cooperation between the US government and the European Commission following the Court of Justice of the European Union’s (“CJEU”) Schrems I and Schrems II rulings, which invalidated predecessor adequacy decisions covering the Save Harbor and Privacy Shield frameworks. In particular, in Schrems II, the CJEU expressed concerns about the scope and proportionality of US government surveillance activities, as well as the level of recourse available to EU individuals to object to such activities.
Reforms to US law
The new DPF adequacy decision was therefore possible after, in response to the above concerns, in October 2022 President Biden released the Executive Order On Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”), and its accompanying regulation. Some of the most significant measures introduced by these instruments include: (a) the establishment of a new redress mechanism (see the below paragraph); (b) the introduction of binding safeguards which limit access to data by US authorities to what is necessary and proportionate to protect national security; and (c) enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities and on the ability of US authorities to engage in bulk collection of data.
The Executive Order provides that the US will establish an independent and impartial redress mechanism to handle and resolve complaints from EU data subjects concerning the collection of their data for national security purposes. Complaints will be initially filed through the appropriate EU jurisdiction for the individual and then transmitted to the US by the European Data Protection Board. In the US, there will first be an investigation by the ODNI Civil Liberties Protection Officer followed by the possibility of appeal to the newly created Data Protection Review Court.
The safeguards introduced by the Executive Order and its accompanying regulation apply to all transfers under the GDPR to data importers located in the US, i.e., they also apply to transfers carried out on the basis of the SCCs or binding corporate rules.
The DPF Principles
The DPF includes provisions similar to those of its predecessors—such as purpose limitations, data retention requirements, data minimization, data accuracy, specific obligations concerning data security and the sharing of data with third parties (“DPF Principles”). The framework provides EU individuals whose data is transferred to participating US companies with rights to obtain access to their data, and obtain correction or deletion of incorrect or unlawfully handled data.
Eligibility
US organisations eligible to participate in DPF are only these that are subject to the investigatory and enforcement powers of the US Federal Trade Commission or the US Department of Commerce (e.g. only organisations involved in commercial activities may pursue certification under the DPF but banks, airlines, insurers and, in certain circumstances, telecommunications providers are excluded).
Participation in the DPF
For US organisations participation in DPF is voluntary. Companies that have maintained their membership in the Privacy Shield will automatically and immediately be part of the DPF and must comply with DPF, including by updating their privacy policies by October 10, 2023. Such companies do not need to file a new self-certification in order to participate in DPF. Any company that self-certified under the Privacy Shield but does not wish to participate in the framework will need to complete the scheme’s withdrawal process.
To join the DPF, an eligible organization that has not been member in the Privacy Shield must develop a conforming privacy policy, identify an independent recourse mechanism, and self-certify through the website provided by the Department of Commerce, accessible at https://www.dataprivacyframework.gov/s/. The commitment to comply with the DPF Principles must be reflected in the privacy notices of such participating US data importers.
Organisations must annually re-certify their participation in the framework in order to continue to rely on the DPF.
List of certified US organisations shall be provided on the DPF website.
Administration and enforcement
The DPF will be administered by the US Department of Commerce, which will process certification applications and monitor whether participating companies continue to meet certification requirements. Compliance under the DPF will be enforced by the US Federal Trade Commission.
Transfer impact assessment
Organisations that rely on the DPF as their basis for transferring personal data to data importers in the US will not be required to carry out a transfer impact assessment (“TIA”), as the DPF adequacy decision replaces the adequacy assessment in the TIA.
Impact on companies
Although DPF offers certain advantages over SCCs, such as ease of use (e.g., avoiding the need to fill out and execute SCCs with each counterparty to the transfer), it also imposes significant ongoing compliance obligations on participating U.S. companies. Therefore, U.S. companies may wish to consider whether to join the DPF or not. Transfer of personal data to US organisations that do not or cannot self-certify under the DPF will need to continue using appropriate safeguards such as SCCs (subject to transfer risk assessments and any required supplementary measures). However, existing TIAs (e.g. prepared under Clause 14 SCC) should be reconsidered to account for the changes to US surveillance laws.
Data exporters in the EU that want to transfer EU personal data under the DPF adequacy decision need to check prior to the transfer on the DPF website whether the recipient in the US is certified under DPF and whether the relevant data transfers is covered by such certification. To the extent data exporters rely on DPF as the legal basis for the transfer, the relevant information in the data exporter’s privacy notice under Art. 13 and 14 GDPR to EU data subjects will need to be updated.
Potential legal challenges
It is expected that the DPF will be subject to legal challenges similar to those that impacted the Privacy Shield, so the future of the DPF remains uncertain. However, both the European Commission and US government representatives have been optimistic about the chances of DPF surviving an expected legal challenge. In any case, the prevailing opinion is that DPF could still reduce compliance and contractual burdens at least in the short to medium-term.