Nearly three years after the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18) (“Schrems II”) and following a long-running process of transatlantic negotiations, the EC finally concluded that the U.S. ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the EU to certified organizations in the U.S. In its press release, the EC announced that personal data can now flow safely from the EU to U.S. companies participating in the EU-U.S. DPF without having to put in place additional data protection safeguards.

In today’s blog post, we take a look back at the timeline leading up to adoption of the adequacy decision, what certification under the new EU-U.S. DPF requires, and what this means for transatlantic data transfers going forward.

Background

The new EU-U.S. DPF represents the latest attempt to establish a legal framework for transatlantic data flows. In October 2015, the CJEU declared the Safe Harbor Framework to be an invalid mechanism for transfers of personal data from the EU to the U.S. in Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) (“Schrems I”).  Several years later in July 2020, the CJEU also invalidated the EU-U.S. Privacy Shield in Schrems II, stating:

“In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

Although the Standard Contractual Clauses and the Binding Corporate Rules remained valid, efforts continued to formulate a new cross-border data transfer agreement.

On March 25, 2022, President Biden and EC President Ursula von der Leyen announced that the U.S. government and the EC had agreed in principle to establish a new Trans-Atlantic Data Privacy Framework to foster cross-border data flows and to address concerns raised by the CJEU in Schrems II.

In October 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.

In December 2022, the EC published its draft adequacy decision for the EU-U.S. DPF. In February 2023, the European Data Protection Board welcomed substantial improvements contained in the EC’s draft adequacy decision, but also highlighted several remaining concerns. In May 2023, the European Parliament adopted a nonbinding opinion rejecting the EC’s draft adequacy decision. On July 6, 2023, twenty-four EU member states voted in favor of the EU-U.S. DPF (with three abstaining).

Access and Use of Personal Data Transferred from the EU by U.S. Public Authorities

The EC was ultimately persuaded by President Biden’s Executive Order and found that “any interference in the public interest, in particular for criminal law enforcement and national security purposes, by U.S. public authorities with the fundamental rights of the individuals whose personal data are transferred from the EU to the U.S. under the EU-U.S. DPF, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.”

Overview of the Certification Process

To rely on the EU-U.S. DPF to effectuate transfers of personal data from the EU, a U.S. company must self-certify its adherence to a set of Principles and Supplemental Principles (collectively, the “Principles”) issued by the U.S. Department of Commerce.  As a first step, to be eligible for certification, a U.S. company must:

1. be subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”), the U.S. Department of Transportation, or another statutory body that will effectively ensure compliance with the Principles (other U.S. statutory bodies recognized by the EU may be included as an annex in the future);
2. publicly declare its commitment to comply with the Principles (discussed below);
3. publicly disclose its privacy policies in line with the Principles; and
4. fully implement the Principles.

To initially self-certify or re-certify under the EU-U.S. DPF, a U.S. company must submit certain pieces of required information, such as a description of its privacy policies, contact information for the handling of complaints and inquiries, the name of any privacy program in which the company is a member, the method of verification, and the relevant independent recourse mechanism.

Participating companies must re-certify on an annual basis. The Department of Commerce, in turn, will maintain a public and authoritative list of certified U.S. companies. The public list and other information can be found at this website, though it is still under construction as of the date of this blog post.

The Principles and Supplemental Principles

The Department of Commerce issued the following Principles to which participating companies must adhere.  These Principles relate to:

1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement and Liability.

The Supplemental Principles provide more information and practical context on a variety of topics including sensitive data, journalistic exceptions, secondary liability, performing due diligence and conducting audits, the role of the data protection authorities, self-certification, verification, the access principle in practice, human resources data, obligatory contracts for onward transfers, dispute resolution and enforcement, the choice principle in practice, travel information, pharmaceutical and medical products, public record and publicly available information, and access requests by public authorities.

Max Schrems and NOYB Reaction

Max Schrems has already indicated that his privacy advocacy organization, none of your business (“NOYB”), will challenge this adequacy decision. In a press release published on the same day as the adequacy decision announcement, Schrems remarked:

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of the next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now.”

Conclusion and Key Takeaways

In addition to the Standard Contractual Clauses and the Binding Corporate Rules, companies can now utilize the EU-U.S. DPF as a valid transfer mechanism. However, it remains to be seen whether the EU-U.S. DPF will suffer the same fate as the Safe Harbor Framework and the EU-U.S. Privacy Shield did. Businesses should consider key strategic decisions before deciding whether to leverage the EU-U.S. DPF framework, but this is a solid next step in the continued discussions regarding the transfer of personal data from the EU to the U.S.