EU Commission adopts its adequacy decision for the EU-U.S. Data Privacy Framework

The European Commission has adopted its long-awaited adequacy decision on the EU-U.S. Data Privacy Framework (EU-U.S. DPF). This means that, as of 10 July 2023, transfers of personal data from the EU to organisations in the U.S. that have been certified as participating in the EU-U.S. DPF may be based on the adequacy decision without the need to rely on any additional transfer tools (e.g., SCCs or BCRs) and without having to conduct a transfer impact assessment or consider further supplementary measures.

Background to the decision

The EU-U.S. DPF is a replacement for the Privacy Shield Framework, which the European Court of Justice (CJEU) invalidated as a mechanism for transferring personal data from the EU to the U.S. in July 2020 (C-311/2 “Schrems II”). In its decision, the CJEU identified significant issues with U.S. laws that prevented recipients of data in the U.S. from being able to ensure an essentially equivalent standard of data protection to that offered in the EU. These issues included the far-reaching capabilities of U.S. intelligence agencies to access personal data under section 702 of the Foreign Intelligence Surveillance Act ( FISA 702 ) and Executive Order 12333 without appropriate mechanisms for oversight or legal redress for EU data subjects.

In October 2022, President Biden signed Executive Order (EO) 14086 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ which created a new set of rules and binding safeguards to limit access to data by U.S. intelligence agencies to what is necessary and proportionate to protect national security, and directed U.S. intelligence agencies to adopt procedures to ensure effective oversights of the new privacy and civil liberties standards. It further established a new two-tier redress system to investigate and resolve complaints by individuals in the EU relating to access by U.S. intelligence agencies, including a newly formed and independent Data Protection Review Court.

Largely reliant on EO 14086, The EU-U.S. DPF was developed by the U.S. Department of Commerce (DoC) and the European Commission to provide U.S. organisations with reliable mechanisms for personal data transfers to the United States from the European Union while ensuring data protection that is consistent with EU.

How does the EU-U.S. Data Privacy Framework work?

To benefit from the Framework, U.S-based organisations must certify their commitment to comply with the EU-U.S. DPF’s underlying privacy principles. These principles largely reflect concepts from EU GDPR including principles such as purpose limitation, data accuracy, data minimisation, and security although they are not a carbon copy. U.S. organisations processing sensitive personal must also adopt specific safeguards to protect such information. The Framework’s transparency obligations require certified organisations to publicly confirm their participation with the principles of the EU-U.S. DPF through their privacy notice as well as, amongst other information, setting out EU individual’s rights of redress.

Certification can be made online via the Data Privacy Framework website. Although the process is one of self-certification, each application must be granted by the DoC and is not active until such time as it has been reviewed and accepted. Re-certification is required on an annual basis along with payment of the applicable fees which, as with the Privacy Shield, are graded by organisation size. The key requirements for organisations looking to certify can be found here. The application process is now open, although it remains to be seen how many organisations will rush to sign up and what backlog this may create at the DoC in terms of reviewing and granting applications.

Is this the end of Standard Contractual Clauses for transfers to the U.S?

Not necessarily. Certification under the EU-U.S. DPF is voluntary. Transfers to U.S.-based organisations that are not EU-U.S. DPF participants cannot be based on the adequacy decision. Such transfers will still require the exporter to put in place appropriate safeguards such as SCCs or Binding Corporate Rules and there will still be a to need to conduct transfer impact assessments (TIA) when using SCCs. However, the European Data Protection Board (EDPB) recently said that “all the safeguards that have been put in place by the U.S. Government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used”. This means that when conducting a TIA and assessing the effectiveness of the SCCs as the chosen Art 46 transfer tool, a company exporting data to the U.S. from the EU can consider the assessment conducted by the Commission in the adequacy decision. A question mark remains at this point as to whether additional safeguards are still needed when using SCCs for U.S. data transfers but the EDPB’s guidance certainly suggests that the reforms carried out to U.S. laws will benefit those continuing to rely on SCCs when it comes to assessing the level of protection given to data that is transferred to U.S.-based companies.

What does it mean for the EU-U.S. Privacy Shield Framework?

The DoC has confirmed that Privacy Shield participants who have maintained their certifications may immediately rely on the EU-U.S. DPF. Such organisations will need to ensure that they are adhering to the principles of the EU-U.S. DPF (which closely follow those of the Privacy Shield) and importantly are required to update their privacy notices to reflect reliance on the EU-U.S. DPF and its principles by 10 October 2023. Any data processing agreements referring to the Privacy Shield will also need amending.

Switching to the EU-U.S. DPF will not change an organization’s re-certification due date (i.e. their Privacy Shield re-certification will remain in place for the EU-U.S. DPF going forward). Organisations that do not wish to comply with the EU-U.S. DPF principles must complete a withdrawal process. Allowing the certification to lapse will not count as a withdrawal and may result to enforce action under the Privacy Shield still.

What about the UK and Switzerland?

The EU adequacy decision on the EU-U.S. DPF does not benefit the UK. The UK reiterated its commitment to a UK-U.S. Data Bridge last month and U.S. organisations can already certify for the UK Extension to the EU-U.S. DPF, although such organisations will not be able to rely on the UK Extension for data transfers from the UK and Gibraltar to the U.S. until such a time as an adequacy decision is adopted by the UK. Participation in the UK Extension first requires participation in the EU-U.S. DPF.

The Swiss-U.S. DPF is a stand-alone framework requiring separate self-certification (although following the same certificationprocess as the EU-U.S. DPF). It is also already operational so that members of the Swiss-U.S. Privacy Shield Framework can transition to the Swiss-U.S. DPF and those wishing to join can also do so. However, like the UK, transfers cannot be made to Switzerland by relying on the Swiss-U.S. DPF until a Swiss adequacy decision is announced.

Plain sailing or icebergs ahead!

The question on everyone’s lips is how long will this third attempt at an EU-US privacy framework last. NOYB has already provided its reaction to the EU-U.S. DPF, hinting that we will see a fresh legal challenge before long, and Max Schrems has likened recent events to groundhog day:

“They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission’s problem. FISA 702 needs to be prolonged by the US this year, but with the announcement of the new deal the EU has lost any power to get a reform of FISA 702.”

The possibility of a future invalidation of the EU-U.S. DPF may be a consideration for organisations assessing whether to participate or not.