Client Alert: EU-US Data Protection Framework Adequacy Decision Approved

Robert Dalling, Madeleine Findley, Emma O'Connor
Jenner & Block
Contact
LinkedIn
Facebook
X
Send
Embed

Jenner & Block

On July 10, 2023, the European Commission adopted its much-anticipated adequacy decision for the EU-US Data Privacy Framework (DPF).[1] The decision concludes that the US ensures an adequate level of protection—comparable to that in the EU—for personal data transferred from the EU to US companies that are participating in the DPF. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies that are certified under the DPF, without the implementation of additional data protection safeguards.[2]

The adequacy decision is the culmination of three years of negotiations between the EU and US after the invalidation of the EU-US Privacy Shield in 2020, and marks a significant development in the regulation of trans-Atlantic data flows.

Executive Summary

  • The adequacy decision means that the European Commission has concluded that the DPF provides an adequate level of protection for personal data transferred from the EU to US companies participating in the DPF.
  • The DPF addresses perceived data protection gaps stemming from US surveillance laws.
  • Under the DPF, EU citizens have access to redress mechanisms to raise concerns regarding the handling of their personal data.
  • The US has designated EU Member States and the three other countries comprising the European Economic Area as “qualifying states” whose citizens may file for redress through the new US Data Protection Review Court. US companies that self-certify to and comply with the data privacy obligations of the DPF will be able to receive EU personal data without being required to implement additional safeguards.
  • Safeguards implemented by the US in connection with the DPF apply to all data transfers under the General Data Protection Regulation (GDPR) to companies in the US, including transfers using Standard Contractual Clauses and Binding Corporate Rules.
  • Legal challenges to the DPF are likely, but, for now, the decision will help streamline the transfer of personal data from the EU to DPF-certified US organisations and allow companies to simplify their GDPR compliance procedures.

Background

Enabling free flows of data between the EU and US has been a priority and reflects the strategic importance of the trans-Atlantic economic relationship.

Two previous data transfer frameworks between the EU and the US have been invalidated: the Safe Harbor Framework, which was invalidated in 2015 by a Court of Justice of the European Union (CJEU) decision known as Schrems I,[3] and the EU-US Privacy Shield, which was invalidated in 2020 by a CJEU decision known as Schrems II. [4] The CJEU decisions found that certain provisions in US surveillance law precluded US entities participating in the prior data-transfer frameworks from providing “adequate” protection for EU personal data as required under the GDPR. These decisions have resulted in a great deal of legal uncertainty for companies that exchange data between the EU and US.

In October 2022, President Biden signed an Executive Order establishing the US’s commitment to the DPF.[5] Among other things, the new DPF sought to address the perceived gaps in US surveillance law, which contributed to the Schrems I and Schrems II decisions and were viewed as undercutting data protection rights for individuals in the EU.

The DPF was the subject of the European Commission’s decision this week.

The EU-US Data Privacy Framework

The adequacy decision came into force with its adoption on July 10.[6] The DPF should significantly simplify GDPR compliance for companies transferring personal data from the European Economic Area to the US.

In addition to introducing new safeguards in the area of government access to data, the DPF also establishes a Data Protection Review Court (DPRC), accessible by individuals in the EU, which significantly improves redress mechanisms. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. Redress avenues established by the DPF also include free independent dispute resolution mechanisms and an arbitration panel.[7]

The DPF is intended to serve as the principal option for US companies to assure adequate protection for transfers of personal data between the EU and the US. It is a self-certification program similar to its predecessors, the Safe Harbor and Privacy Shield. US companies will be able to join the DPF by committing to comply with a detailed set of privacy obligations, including the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.

The DPF will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.

The first review will take place within a year of the entry into force of the adequacy decision, in order to verify that all relevant elements have been fully implemented and are functioning effectively in practice.

European Commission President Ursula von der Leyen issued a statement saying that the new framework “will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” She further noted that the US “has implemented unprecedented commitments to establish the new framework.”[8]

The safeguards implemented by the US in the area of national security apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other transfer tools, such as Standard Contractual Clauses and Binding Corporate Rules.[9] Companies that rely on one of those mechanisms can use the adequacy decision as part of any Transfer Impact Assessment, streamlining that analysis.

In a press conference, European Commissioner for Justice Didier Reynders said the decision means “[p]ersonal data can now flow freely and safely from the European Economic Area to the United States without further conditions or authorisations.”[10]

US Secretary of Commerce Gina Raimondo welcomed the decision, saying that it “reflects our shared commitment to facilitating data flows between our respective jurisdictions in a manner that protects individual rights and personal data.”[11]

Potential Legal Challenges

The new adequacy decision will, like the previous EU-US adequacy decisions, be subject to legal challenges. The DPF affords new safeguards to EU data subjects but underlying concerns regarding the potential scope and applicability of US surveillance and national security law persist. NOYB, a data privacy organisation founded by Austrian privacy activist Max Schrems (who was a party in Schrems I and Schrems II), has already declared that it will challenge the new decision, describing the DPF as “largely a copy” of the previously-invalidated Privacy Shield.[12] NOYB has stated that it will bring “the new deal back before the CJEU.”[13] However, a legal challenge could take several years to reach a final decision.

UK-US Data Transfers

In June 2023, the UK and US governments announced that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework” (the Data Bridge), which would facilitate data flows between the two countries.[14] The European Commission’s adequacy decision paves the way for the implementation of the Data Bridge. Once in place, US companies that self-certify to the EU-US DPF will likely also be able to receive UK personal data under the Data Bridge. However, for now, the Data Bridge is still contingent on an assessment by the UK government, as well as on the adoption of adequacy regulations under the UK’s Data Protection Act of 2018 and on the designation of the UK as a “qualifying state” under the Biden Administration’s October 2022 Executive Order.

Switzerland-EU Data Transfers

Following the invalidation of the EU-US Privacy Shield in Schrems II, the Swiss Federal Data Protection and Information Commissioner similarly held that the Swiss-US Privacy Shield did not provide an adequate level of protection for transfers from Switzerland to the US.[15] On July 10, the Swiss Federal Data Protection and Information Commissioner (FDPIC) announced that it had taken note of the adequacy decision and that Switzerland is engaged in discussions regarding a parallel Swiss-US framework. Notably, Switzerland is implementing new data privacy regulations, effective September 1, 2023, which align Swiss data protection law with the GDPR. The FDPIC said it will determine the US’s adequacy under the new Swiss legislation “in due course.”

Next Steps for US Companies

US companies should evaluate the potential benefits and risks of participating in the DPF. Organisations that wish to certify their participation in the DPF must first submit information to the US Department of Commerce through the DPF’s website.[16] Organisations already certified to the Privacy Shield must update their privacy policies to refer to the “EU-US Data Privacy Framework Principles” within the next three months.[17] Companies that wish to self-certify must publicly commit to comply with the DPF’s Principles.

If a company self-certifies to the DPF, it will be able to freely transfer personal data from the European Economic Area to the US without having to conduct a Data Transfer Impact Assessment (DTIA) or implement supplemental measures. Companies relying on other data transfer mechanisms, such as Standard Contractual Clauses, can incorporate the adequacy decision into their DTIA analysis.

Conclusion

Legal challenges to the European Commission’s adequacy decision are likely, but, for now, the EU-US DPF can streamline the transfer of personal data from the EU to US organisations and allow companies to simplify their GDPR compliance procedures.

 

[1] European Commission, Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (July 10, 2023), https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework.pdf.

[2] Press Release, European Commission, Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows (July 10, 2023), https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.

[3] Case C-362/14, Maximillian Schrems v. Data Prot. Comm’r, ECLI:EU:C:2015:650 (Oct. 6, 2015).

[4] Case C-311/18, Data Prot. Comm’r v. Facebook Ireland Ltd. &, Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020).

[5] The White House, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (Oct. 7, 2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/.

[6] Questions & Answers: EU-US Data Privacy Framework, European Commission (July 10, 2023), https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752.

[7] Id.

[8] Press Release, European Commission, supra note 2.

[9] Questions & Answers: EU-US Data Privacy Framework, supra note 6.

[10] Jennifer Bryant, European Commission adopts EU-US adequacy decision, IAPP (July 10, 2023), https://iapp.org/news/a/european-commission-adopts-eu-u-s-adequacy-decision/.

[11] Press Release, US Department of Commerce, Statement from US Secretary of Commerce Gina Raimondo on the European Union-US Data Privacy Framework (July 10, 2023), https://www.commerce.gov/news/press-releases/2023/07/statement-us-secretary-commerce-gina-raimondo-european-union-us-data-0.

[12] European Commission gives EU-US data transfers third round at CJEU, noyb (July 10, 2023), https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.

[13] Id.

[14] Department for Science, Innovation and Technology, UK and US reach commitment in principle over ‘data bridge,’ GOV.UK (June 8, 2023), https://www.gov.uk/government/news/uk-and-us-reach-commitment-in-principle-over-data-bridge.

[15] FAQs – Swiss-US Privacy Shield (1-4), Privacy Shield Framework (Mar. 31, 2021), https://www.privacyshield.gov/article?id=Swiss-U-S-Privacy-Shield-FAQs#:~:text=On%20September%208%2C%202020%20the,pursuant%20to%20Switzerland%27s%20Federal%20Act.

[16] The DPF website is expected to be updated by July 17, 2023. It currently refers to the Privacy Shield.

[17] Annex I, Section III(6), Commission Implementing Decision, supra note 1.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jenner & Block | Attorney Advertising

Written by:

Jenner & Block
Jenner & Block
Contact
more
less

Jenner & Block on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide