On 10 July 2023, the European Commission formally adopted a new US adequacy decision for the EU-U.S. Data Privacy Framework ("DPF"). The adoption of the adequacy decision comes three years after the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union ("CJEU") in Schrems II .
The European Commission's adequacy decision concludes that the US ensures an adequate level of protection, comparable to that of the EU, for personal data transferred from the EU/EEA to US companies who certify compliance with the DPF.
This article considers the implications of the new DPF, and some practical issues about the self-certification process.
Implications
DPF effective immediately
The DPF is immediately effective. This means that EU/EEA companies can freely transfer personal data to US certified companies, without having to put in place additional data protection safeguards under Chapter V of the GDPR, or carrying out a transfer impact assessments ("TIA"). However, transfers by controllers to processors will still require a data processing contract, in compliance with Article 28 GDPR.
The DPF enables US companies to self-certify that they commit to complying with a detailed set of privacy principles (which are set out in Annex I of the DPF). These principles remain the same as under the Privacy Shield.
As with its predecessors, the Privacy Shield and Safe Harbor, the US adequacy decision applies only in respect of EU/EEA-US transfers made pursuant to the DPF and not to all US recipients. Albeit the US adequacy decision will help to ease the burden on companies that decide to rely on the Standard Contractual Clauses ("SCCs") or Binding Corporate Rules ("BCRs") (rather than the DPF) to legitimise their EU/EEA-US transfers, as the new safeguards introduced under President Biden's Executive Order 14086 may be taken into account when executing the SCCs or BCRs, and carrying out accompanying TIAs.
Self-Certification Process
US companies currently self-certified under the EU-U.S. Privacy Shield Framework can automatically transition to, and begin relying on, the DPF for EU/EEA-US transfers, provided they update their privacy policies to instead refer to the DPF principles, within three months from the effective date of the DPF principles (i.e. by 10 October 2023), and otherwise comply with the DPF principles. These companies do not need to make a separate, initial self-certification submission to participate in the DPF.
Companies not currently certified may start the DPF certification process on or after 17 July 2023. Companies can certify through the new DPF website maintained by the US Department of Commerce ("DoC"), which went live on 17 July 2023.
EU/EEA data exporters transferring data to US self-certified companies, should ensure they also take steps to update their Privacy Notices to inform data subjects that they are relying on the DPF as a legal basis for the transfer, and also update their Records of Processing Activities. In addition, EU/EEA data exporters in the EU should take steps to verify that the relevant US importer is self-certified. A list of US companies who are self-certified to the DPF is publicly available on the new DPF website.
Who can self-certify?
Any US organisation that is under the jurisdiction of the US Federal Trade Commission or the Department of Transportation may self-certify under the new DPF. For example, banks, savings and loan institutions would not fall within their jurisdiction. Organisations that are ineligible to self-certify under the DPF, will instead need to continue to use the SCCs, BCRs, or another transfer mechanism and carry out TIAs.
Improvements
The DPF and accompanying Executive Order 14086 introduce new binding safeguards to address the concerns raised by the CJEU in Schrems II, including limiting access by US intelligence agencies to EU citizens' personal data to what is necessary and proportionate to protect national security.
European citizens are also offered improved redress mechanisms, including through the newly created Data Protection Review Court ("DPRC"). The DPRC will independently investigate and resolve complaints regarding the collection and use of EU citizens' data by US intelligence agencies, and adopt binding remedial measures. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to. This new redress mechanism is available to individuals across the EEA, as the EU, Iceland, Lichtenstein, and Norway were designated as "Qualifying States" by the U.S. Attorney General on 30 June 2023.
Monitoring and Enforcement
The DoC will monitor compliance with the DPF and carry out random spot checks, as well as investigate potential compliance issues, such as those reported to the DoC by third parties. US companies that persistently fail to comply with the DPF principles will be removed from the DPF registration list, and must return or delete any personal data they have received under the DPF.
Next steps
The DPF will be subject to periodic reviews, to be carried out by the European Commission, representatives of European data protection authorities, and competent U.S. authorities. Under Article 3 of the adequacy decision, the European Commission must continuously monitor the application of the DPF. Where the European Commission has indications that an adequate level of protection is no longer ensured, it will inform the competent U.S. authorities, and, if necessary, may decide to suspend, amend or repeal the adequacy decision or limit its scope. The first review will take place in July 2024, in order to verify that all relevant elements of Executive Order 14086 have been fully implemented in the US legal framework and are functioning effectively in practice.
Despite the European Commission's statement that the binding safeguards address all concerns raised by the CJEU in Schrems II, it is likely that the DPF will be subject to legal challenge from privacy advocates. Noyb, in particular, have already confirmed that it plans to challenge the DPF and expect to be back before the CJEU by the beginning of 2024. It remains to be seen whether the DPF will survive such a challenge.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
