On July 10, 2023, the European Commission (EC) adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (DPF). This paves the way for organizations to certify to the DPF, reducing friction for transfers of personal data from the EU to the U.S., and allowing companies to simplify their compliance with EU data flow restrictions. It thus represents a major development in the regulation of data flows from the EU to the U.S.

Background

The DPF is a self-certification program similar to its predecessors the “Safe Harbor” and the “Privacy Shield.” Those programs were invalidated by the Court of Justice of the EU (CJEU) in the cases known as “Schrems I” and “Schrems II” due to a number of concerns, most prominently those involving access to personal data of EU individuals by U.S. intelligence agencies. To address those concerns, U.S. President Biden signed an Executive Order (EO 14086) setting forth new safeguards for such data access. A key feature of the safeguards is a redress mechanism for individuals whose personal data is transferred to the U.S. Also, on July 3, 2023, the Office of the Director of National Intelligence confirmed that the U.S. Intelligence Community has adopted the policies and procedures that implement the safeguards specified in EO 14086. For more information, see the U.S. Department of Commerce’s press release here.

Key Facts

Companies that have undergone the DPF certification process will be able to import personal data from the EU and EEA into the U.S. without the need to rely on another data transfer mechanism, such as Standard Contractual Clauses (SCCs). We have outlined some of the key provisions of the DPF below.

• Self-certification: Organizations that wish to certify must first submit information to the Department of Commerce (DoC) through the DPF website (which was not fully operational at the time of writing), such as the name of their organization and a description of their purposes for processing personal data. Organizations already certified to the Privacy Shield must update their privacy policies to refer to the “EU-U.S Data Privacy Framework Principles” (Principles) within the next three months. Organizations must obtain the DoC’s approval to be added to the list of DPF participants. To maintain certification, organizations must pay a fee and recertify annually, which involves self-verifying compliance with the Principles. The DoC will maintain a list of certified companies and a list of formerly certified companies (together with reasons for removal). Organizations that self-certified with the Privacy Shield will need to formally withdraw if they do not wish to participate in the DPF.
• Compliance with the Principles: Companies that wish to self-certify must publicly commit to comply with the DPF’s Principles. These Principles keep the same headings as used under the Privacy Shield (e.g., Notice, Choice, Accountability for Onward Transfer), but the substance of some of the supplemental principles has been altered (e.g., the Self-Certification principle expands upon the details required for organizations self-certifying and recertifying and specifies that an organization that withdraws from the DPF must indicate to the DoC what it will do with the personal data that it received in reliance on the DPF).
• Enforcement: The Federal Trade Commission (FTC) will verify, through ex-officio investigations and complaints, whether companies comply with the Principles. An organization’s failure to comply is enforceable by the FTC under Section 5 of the FTC Act prohibiting unfair and or deceptive acts in or affecting commerce.
• Complaints handling:
  • Under the DPF, an individual can submit a complaint directly to either of the following:
    • The company that certified to the DPF, which must have complaint processes readily available and free of charge. Companies have 45 days to respond to the complaint. Individuals have access to an independent recourse body selected by the company.
    • EU Data Protection Authorities (DPAs), which will cooperate with the DoC and the FTC (EU DPAs’ advice is binding on organizations for complaints relating to HR data). The DoC will offer ex officio reviews, act as the contact person for EU DPAs, and provide a process for EU DPAs to refer complaints.
  • The FTC has committed to give priority consideration to referrals of noncompliance from dispute resolution bodies, privacy self-regulatory bodies, DoC, and EU Member States.
  • For residual claims, individuals may seek redress from the "EU-U.S. Data Privacy Framework Panel.” This panel will issue binding decisions and will only determine whether DPF-certified companies have violated their obligations, and whether any such violation remains fully or partially unremedied. There will be a possibility to impose “individual-specific, non-monetary equitable relief” (e.g., deletion of the data) and to seek judicial review and enforcement of the decisions pursuant to the U.S. Federal Arbitration Act. If there is a persistent failure to comply, the company will lose the benefits of the DPF, and be removed from the DPF List.
• Monitoring, Periodic Joint Review, and Supervision: The EC must monitor the DPF through periodic factual and legal checks. This involves continuous monitoring of the overall functioning of the DPF, and compliance by U.S. authorities with their representations and commitments. The EU and the U.S. will also conduct a periodic joint review, which will cover the functioning of all aspects of the DPF. It will take into account the U.S. government’s commitments and the transparency reports published (voluntarily) by companies. The result of the periodic joint review will be presented to the EU Parliament and Council of the EU. If the U.S. does not fulfill its commitments, the DPF may be suspended by the EC.

UK-U.S. Data Transfers

While the UK is no longer a member of the EU, the announcement of the EC’s adequacy decision also paves the way for the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the UK and the U.S. (the “Data Bridge”) under UK law. Once in place, it is expected that when U.S. companies self-certify to the DPF this will also allow them to receive UK personal data under the Data Bridge. The Data Bridge is still contingent on an assessment by the UK government, the adoption of adequacy regulations under the Data Protection Act 2018, and the U.S. designating the UK as a “qualifying state” under EO 14086.

Practical Considerations

Under the General Data Protection Regulation (GDPR), companies are required to ensure personal data is adequately protected when transferred outside the EU, which requirement both the CJEU and the EU DPAs have interpreted narrowly. This is illustrated by the recent Meta decision of the Irish Data Protection Commission, where it considered that Meta's implementation of the SCCs and supplemental safeguards were not sufficient to comply with the GDPR’s data transfer restrictions.

The DPF will significantly simplify GDPR compliance for organizations transferring personal data from the EEA to the U.S. If an organization self-certifies to the DPF, it will be able to freely transfer personal data to the U.S. without having to carry out a Data Transfer Impact Assessment (DTIA) or implement supplemental measures. This is because the DPF is considered to provide adequate protection for the data flows. Organizations that continue to rely on the SCCs will be able to invoke the DPF’s safeguards in their DTIAs to justify their data flows to the U.S.¹ Companies that currently use SCCs should consider whether the DPF would be a more appropriate transfer solution. The SCCs have downsides, such as having to execute them with each customer, partner, or vendor that are part of a restricted data flow. Although the DPF will likely be challenged in court, this will likely take a number of years. In the meantime, the DPF provides a data transfer mechanism that companies can manage through self-certification.

^[1]See https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_6045.