Summary
On July 10, 2023, the European Commission issued an adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF” or “DPF”). The decision concludes that the U.S. ensures an adequate level of protection under the EU’s General Data Protection Regulation (“GDPR”) for personal data transferred from the European Economic Area1 to participating U.S. companies.
As was the case with predecessor programs, the Department of Commerce is tasked with administering the DPF and compliance with the program will mainly be enforced by the Federal Trade Commission. The International Trade Administration within the Department of Commerce has launched a new DPF website. Current participants in the EU-U.S. Privacy Shield (“Privacy Shield”) can self-certify to the DPF by updating their privacy policies to state their compliance with the DPF.
Background
The EU-U.S. DPF traces its roots back to the EU-U.S. Safe Harbor, which was invalidated by what is known as the Schrems I decision in 2015, and replaced by Privacy Shield, which in turn was invalidated by the Schrems II decision in 2020 (previously discussed here). Following the Schrems II decision, the U.S. and EU have been negotiating a program that rectifies the deficiencies the Court of Justice of the European Union (“CJEU”) identified in Privacy Shield in Schrems II. Specifically, the CJEU found that Privacy Shield did not sufficiently protect the personal data of EU data subjects from government surveillance in the U.S. and did not grant EU data subjects sufficient judicial redress.
In response, the U.S. issued Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”), which provides for additional safeguards to ensure that U.S. signals intelligence activities are necessary and proportionate to the pursuit of defined national security objectives, enhances oversight of signals intelligence activities to ensure compliance with those limitations, and creates the Data Protection Review Court, which is a new independent redress mechanism for EU data subjects to submit complaints about access to their data by U.S. national security authorities. Notwithstanding these improvements, data activist Max Schrems, who challenged the prior programs, has already announced his plans to challenge the EU-U.S. DPF, claiming that it still does not guarantee adequate protection to the personal data of EU data subjects.
Comparison to Privacy Shield
Under the DPF, the U.S. government has taken on new obligations in comparison to its obligations under Privacy Shield, but the commercial terms (i.e., the obligations placed on participating organizations) remain largely unchanged between the two programs. The Department of Commerce intends for current Privacy Shield participants not to have to change their operations to transition over to the DPF.
The DPF makes non-substantive changes to the commercial terms, such as updating references from “EU-U.S. Privacy Shield” to “EU-U.S. DPF” and editing references to the redress mechanism to refer to it as an “independent” mechanism. The DPF also clarifies certain procedures around self-certification and withdrawal from the program. Additionally, the DPF expressly states that it can be used to facilitate transfers of key-coded data, a point of debate under Privacy Shield. The DPF does not, however, make any substantive changes to the main Privacy Shield Principles of (1) Notice; (2) Choice; (3) Accountability for Onward Transfer; (4) Security; (5) Data Integrity and Purpose Limitation; (6) Access; and (7) Recourse, Enforcement, and Liability.
What Do Organizations Need to Do?
To facilitate transfers pursuant to the DPF, a current Privacy Shield participant should:
- Review its current privacy practices to make sure they align with the EU-U.S. DPF principles (which are substantially unchanged from the Privacy Shield principles).
- Update its privacy policy(s) to change references to the EU-U.S. Privacy Shield to the EU-U.S. Data Protection Framework. Organizations have until October 10, 2023, to do this (the organization does not need to make a new self-certification with the Department of Commerce and may begin relying on the DPF to facilitate transfers as soon as it updates its privacy policies).
- Submit annually its re-certification to the Department of Commerce on the same date it would have had to re-certify under Privacy Shield.
Current Privacy Shield participants that do not wish to participate in the DPF, must formally withdraw in accordance with the appropriate procedures, including informing the Department of Commerce what they will do to protect the data they received under Privacy Shield.
Organizations that were not participants in Privacy Shield, but would like to participate in the DPF, can begin submitting to the Department of Commerce their self-certifications on July 17, 2023. These organizations cannot begin to rely on the DPF until they receive confirmation of their certification from the Department of Commerce.
What Does This Adequacy Decision Mean for Companies Using SCCs?
Companies that have been facilitating transfers of data from the EU to the U.S. pursuant to the EU Standard Contractual Clauses (“SCCs”) or other valid transfer mechanisms like binding corporate rules (“BCRs”) may, when conducting transfer impact assessments, be able to support the transfer by pointing to the EU-U.S. DPF as an endorsement by the European Commission of the changes the U.S. has made to its surveillance laws. The European Commission states in FAQs accompanying the decision that the safeguards put in place in the area of national security apply to all data transfers under the GDPR, including SCCs and BCRs. Of course, member state data protection authorities may take their own views on the matter.
Organizations currently relying on SCCs may wish to also self-certify to the DPF as a “belt and suspenders” approach to international data transfers to ensure coverage of any gaps that may exist in their SCC compliance efforts, or to otherwise signal a serious commitment to data privacy from a public relations standpoint.
A Note on the United Kingdom and Switzerland
The United Kingdom (“U.K.”) and the U.S. have agreed to establish a U.K. Extension to the EU-U.S. Data Privacy Framework (the “U.K. Extension”). DPF participants may self-certify their compliance with the U.K. Extension. However, they may not begin relying on the U.K. Extension to facilitate personal data transfers from the U.K. (and Gibraltar) until the U.K.’s adequacy regulations implementing the U.K. Extension enter into force, which is expected to happen later this year.
Additionally, Switzerland and the U.S. have agreed to the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”). Participants in the Swiss-U.S. Privacy Shield Framework must update their privacy policies by October 17, 2023, to benefit from the Swiss-U.S. DPF. However, they may not begin relying on the Swiss-U.S. DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration’s anticipated recognition of adequacy, which is also expected later this year.
Notably, organizations can choose to certify to the Swiss-U.S. DPF alone, but the U.K. Extension is only available to organizations that have also certified to the EU-U.S. DPF.
[1] The European Economic Area (“EEA”) comprises the EU member states, as well as Norway, Iceland, and Liechtenstein.
