Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework

On 10 July 2023, the European Commission announced a major development¹ in EU-U.S. personal data transfer relations by adopting a long-anticipated adequacy decision² for the EU-U.S. Data Privacy Framework (“DPF”). The Commission concluded that personal data transferred from the EU to the U.S. under the DPF is ensured an adequate level of protection comparable to that in the EU.

Key Takeaways

• Eligible U.S. organisations can self-certify to the DPF. Organisations that are Privacy Shield-certified and do wish to participate in the DPF must make certain updates to their policies and procedures; those that do not must complete the formal withdrawal process.
• Whilst the adequacy decision offers organisations an additional mechanism for EU-U.S. data transfers, standard contractual clauses and other transfer mechanisms remain valid options and organisations should consider what mechanism works best for their specific transfers, especially given the inevitable legal challenge to the DPF.
• Safeguards implemented by the U.S. as part of the DPF apply even where other mechanisms such as the standard contractual clauses or binding corporate rules are used. Organisations continuing to rely on these mechanisms can therefore take account of these safeguards as part of their transfer impact assessments.
• Progress on the UK-U.S. data bridge, an extension to the DPF, should follow in short order.

Background

In July 2020 the CJEU invalidated the Privacy Shield framework in its landmark Schrems II decision³, emphasising concerns over U.S. surveillance practices and the lack of adequate privacy protections for EU citizens. The ruling significantly impacted EU-U.S. data transfers with organisations having to rely on alternative transfer mechanisms, such as standard contractual clauses (“SCCs”) and binding corporate rules, as well as undertake burdensome transfer impact assessments (“TIAs”) to back up such mechanisms. The subsequent release of new SCCs by the European Commission added to this furore.

Since Schrems II, data protection supervisory authorities across the EU have also taken a stricter approach to data transfers, with some targeting widely used services like Google Analytics. Following 101 complaints by privacy activist group, NOYB, several EU supervisory authorities including those in Austria, Denmark, France, Italy and Sweden have ordered that certain companies halt use of Google Analytics given its transfers to the U.S., finding that the “supplementary measures” put in place pursuant to SCCs were insufficient. Meta has also been the subject of action by the Irish Data Protection Commission with its EU-U.S. transfers (reliant on SCCs) due to be halted by a “stop transfer” order.

These developments have made EU-U.S. data transfers significantly more complex, costly, and burdensome, and all together resulted in compliance obligations which, in turn, effectively erected a barrier to entry to the EU market for many organisations. Ever since Schrems II, EU and U.S. officials have therefore been at the table forging a revamped data transfer framework that they hope can survive the inevitable legal challenge.

The DPF Difference

As explained in our previous OnPoint⁴, the DPF consists of: (1) self-certification commercial principles (“Principles”); (2) an Executive Order which imposes limits on the U.S. intelligence community’s collection and use of personal data transferred to the U.S. from the EU to what is necessary and proportionate to protect national security; and (3) Department of Justice regulations creating a new Data Protection Review Court as an impartial redress mechanism.

Importantly, the safeguards implemented by parts (2) and (3) apply across the board to all personal data processed subject to the GDPR that is transferred to the U.S., even where such data is transferred using SCCs or binding corporate rules. Organisations continuing to rely on these mechanisms can therefore take account of the Executive Order and Department of Justice regulations as part of their TIAs.

The adequacy decision took effect with its adoption on 10 July and has no time limit although the Commission will continuously monitor U.S. developments and regularly review the decision. The first review will occur within a year in order to verify that all relevant elements have been fully implemented in the U.S. legal framework and are functioning effectively. Subsequent reviews, determined by the first review’s outcome, will happen at least every four years.

Overcoming Objections

Perhaps unsurprisingly, the Commission has moved forward with the adoption of adequacy for the DPF despite continuous reservations expressed by the European Data Protection Board⁵, European Parliament Committee on Civil Liberties, Justice and Home Affairs⁶, and Members of the European Parliament⁷, who had voted 306-21 (with 231 members abstaining) to adopt a resolution rejecting the DPF. While all seemed to consider the DPF an improvement to its predecessor, concerns remained that the DPF continues to permit use of “bulk surveillance” in certain cases and that redress and oversight mechanisms are insufficient.

In spite of these objections, the Commission has moved forward with adequacy, emphasising the importance of facilitating transatlantic data transfers while striving to ensure compliance with EU data protection standards.

How does the DPF work?

Similarly to the former Privacy Shield, eligible U.S. organisations can participate in the DPF by certifying their compliance to the Principles, including obligations like purpose limitation, data minimisation, and data retention, as well as specific requirements regarding data security and third-party data sharing. The U.S. Department of Commerce (“DoC”) will administer the DPF, processing certification applications and monitoring ongoing compliance, while the U.S. Federal Trade Commission (“FTC”) and U.S. Department of Transportation (“DoT”) will enforce adherence to the obligations in their respective areas.

To be eligible for certification under the DPF, an organisation must be subject to either the investigatory and enforcement powers of the FTC or DoT. In order to certify, eligible organisations must:

1. make a submission to the DoC (confirming, amongst other things, what personal data they process and the purpose of such processing);
2. publicly declare their commitment to comply with the Principles;
3. make their privacy policies publicly available; and
4. fully implement those privacy policies.

DPF-certified organisations will be required to re-certify their adherence to the Principles, following largely the same process outlined above, on an annual basis.

While this is a voluntary self-certification system, once an organisation has decided to certify under the DPF, its effective compliance with the Principles is compulsory and enforceable. Organisations must take measures to ensure their ongoing compliance with the Principles and the DoC will also carry out its own monitoring including by performing ‘spot checks’.

Further information is expected to be released on a new DPF website, which will be launched by the DoC in the coming days.

What about organisations that are Privacy Shield certified?

According to the Privacy Shield website⁸, a Privacy Shield certification would appear to ‘roll over’ in to a DPF certification (with an organisation then required to re-certify to the DPF on its next annual certification date).

Organisations that are Privacy Shield-certified and wish to participate in the DPF must comply with the Principles, including by updating their privacy policies to refer to the “EU-U.S. Data Privacy Framework Principles” within three months of the adequacy decision.

Organisations which are Privacy Shield-certified but do not wish to participate in the DPF must complete the formal withdrawal process.

What about the UK?

The UK and U.S. governments recently released a joint statement confirming their commitment in principle to establishing a data bridge⁹, an extension of the DPF. Now that the DPF has been deemed adequate by the Commission, work on establishing the data bridge will presumably proceed full steam ahead.

Conclusion

Whilst the adoption of an adequacy decision for the DPF marks a significant advancement for transatlantic data transfers, organisations should be mindful that challenges in the CJEU are likely given the previous actions against Privacy Shield and Safe Harbor. Prominent privacy activists, such as the non-profit group NOYB and its founder Max Schrems, have already criticised the decision and NOYB has announced its intention to challenge the DPF¹⁰. EU and U.S. officials will be hoping that they have done enough to enable the DPF to survive the fate of Safe Harbor and Privacy Shield.

Organisations may wish to adopt a “wait and see” approach while the inevitable legal challenge to the DPF plays out but in any event should consider what mechanism works best for their specific transfers.

Footnotes: 

1. European Commission Announcement dated 10 July 2023
2. Adequacy Decision for the EU-U.S. Data Privacy Framework
   
3. Case C-311/18. Judgment of the Court (Grand Chamber) of 16 July 2020
4. Dechert OnPoint: The EU – U.S. Data Privacy Framework: Hold the Champagne
5. Dechert Cyber Bits – Issue 29
6. Dechert Cyber Bits – Issue 32
7. Dechert Cyber Bits – Issue 34
8. Privacy Shield Website
9. Dechert Cyber Bits – Issue 36
10. NOYB Press Release dated 10 July 2023