On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-U.S. Data Privacy Framework (the DPF). With immediate effect, the adequacy decision provides a new lawful basis for transfers from the EU to the U.S. This means that companies that participate in the DPF are able to transfer data from the EU to the U.S. without relying on another data transfer mechanism, such as Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs).

Background to the Adequacy Decision

Pursuant to Article 45(3) of the GDPR, the European Commission has the power, by means of an adequacy decision, to decide that a non-EU country has sufficient standards of data protection to be treated as equivalent to those afforded in the EU.

In the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) (Schrems II), which we have discussed in a previous alert, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield (the Privacy Shield), the predecessor to the DPF. The CJEU found that the surveillance of personal data by U.S. public authorities goes beyond what is strictly necessary, and therefore conflicts with the EU’s principle of proportionality. Since Schrems II, the European Commission and the U.S. government have engaged in lengthy discussions on a new framework.

The U.S. Executive Order (EO) 14086 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ in October 2022 introduced new binding safeguards relating to data accessed by U.S. intelligence agencies in order to address issues raised in Schrems II. For instance, it limits such access to that which is necessary and proportionate, and provides for an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning data collection for U.S. national security purposes. It is clear from the recitals to the adequacy decision, that (EO)14086 was significant in laying the foundations for the European Commission’s decision.

The Data Privacy Framework

The DPF introduces significant improvements compared with the mechanisms that existed under the Privacy Shield. Under Article 1 of the adequacy decision, it concludes that the U.S. ensures an adequate level of protection for personal data transferred to organisations that have committed to the ‘EU-U.S. Data Privacy Framework Principles’ (the DPF Principles), and which are therefore included in the ‘Data Privacy Framework List’, which is maintained and made publicly available by the U.S. Department of Commerce.

The DPF introduces new binding safeguards to address the concerns raised by the CJEU, outlined below.

• Limits to ensure that access to data by U.S. intelligence authorities is restricted to what is necessary and proportionate to protect national security.
• Enhanced oversight of the activities of U.S. intelligence services by judicial and non-judicial bodies.
• The establishment of an independent and impartial redress mechanism, which includes the Data Protection Review Court (DPRC), to which EU individuals may submit complaints regarding an alleged violation of the new safeguards. The DPRC will investigate and resolve complaints, including the adoption of binding remedial measures such as ordering the deletion of the data.

U.S. companies may join the DPF by committing to comply with a detailed set of privacy obligations. For instance, they will be required to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.

Transfers from the EU to the U.S. under the DPF will not require a Data Transfer Impact Assessment (DTIA) to be performed, unlike other transfer mechanisms. However, companies that continue to rely on SCCs and BCRs will still be able to invoke the DPF’s safeguards in their DTIAs to justify their data flows to the U.S. Accordingly, in its press release the European Commission stated that the DPF safeguards will “facilitate transatlantic flows more generally.”

Self-certification

The DPF is a self-certification program similar to its predecessors. Therefore U.S.-based companies which self-certified under the Privacy Shield and now want to rely on the DPF as a transfer mechanism must self-certify their adherence to the DPF Principles, including by updating their privacy policies to refer to the “EU-U.S. Data Privacy Framework Principles” by 10 October 2023. Such companies will automatically be transitioned and may begin relying on the DPF immediately. A separate initial self-certification submission will not be required. Companies that had self-certified with the Privacy Shield but do not wish to participate in the DPF will need to formally withdraw. Organizations wishing to rely on the UK Extension to the DPF may do so once the UK’s adequacy regulations come into force. Similar mechanisms for Switzerland will come into effect on July 17, 2023 and will be effective following a parallel process for adequacy being undertaken by the Swiss Federal Administration.

Takeaways and next steps

The adequacy decision entered into force with its adoption on 10 July 2023 along with the DPF Principles. The European Commission has confirmed that, alongside representatives of European data protection authorities and competent U.S. authorities, it will subject the DPF to periodic reviews.

It should be noted that the adequacy decision may still be subject to an invalidation procedure before the CJEU. We anticipate that it is likely that there will be legal challenges to the DPF similar to those brought against the Privacy Shield. For example, the privacy activist group NOYB (chaired by Max Schrems) has already confirmed it will challenge the adequacy decision.

The adequacy decision is a welcome development for companies carrying out transatlantic personal data transfers. Such companies should now have greater certainly by relying on the DPF that they will not be at risk of fines, so long as the adequacy decision is not invalidated by the CJEU. Data importing companies in the U.S. that would like to benefit from the DPF should look to self-certifying and taking steps to comply with the DPF Principals.