On July 10, the European Commission issued an adequacy decision on the EU-US Data Privacy Framework (DPF), ensuring adequate protection for personal data transferred from the European Union to the United States. This decision replaces the Privacy Shield Framework (Privacy Shield), which the Court of Justice of the European Union (CJEU) invalidated in the 2020 Schrems II decision.
Background
The CJEU invalidated both predecessors to the DPF, namely the EU-US Safe Harbor and the Privacy Shield, due to inadequate protections highlighted in the Schrems I and Schrems II decisions. In response to the CJEU’s concerns regarding United States national security and government surveillance, the European Commission collaborated with the United States to develop the DPF to enhance privacy protections for personal data. Foreshadowing the DPF, President Biden’s Executive Order 14086 established new safeguards governing surveillance and intelligence activities, along with a two-step judicial redress mechanism for individuals.
The DPF
Effective as of July 11, the DPF streamlines the transfer of personal data from European countries to certified organizations, eliminating the need for traditional General Data Protection Regulation (GDPR) mechanisms such as Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), and Transfer Impact Assessments. The DPF includes provisions similar to its predecessors – such as purpose limitations, data retention requirements, data minimization, and data security and data accuracy principles – but it also includes provisions designed to address the concerns raised by the CJEU in Schrems I and II. Notably, the DPF establishes a new Data Protection Review Court to safeguard against United States intelligence authorities’ unauthorized access to personal data. The European Commission retains the authority to conduct periodic assessments of the DPF, ensuring comprehensive integration of all the DPF elements and confirming their practical efficiency.
Certification Requirements
United States companies seeking participation in the DPF must publicly commit to specific privacy principles and obligations (Principles). Eligible organizations must initially self-certify and then annually re-certify to the U.S. Department of Commerce’s (DoC) International Trade Administration that the company adheres to the Principles through this website. Companies previously certified under the Privacy Shield are required to update their privacy policies to refer to the Principles within three months (i.e., by October 10, 2023) to ensure the DPF applies to them. If re-certification does not occur, the DoC will remove such companies from the DPF List and include them on a public record of organizations that have been removed from the list, in each case identifying the reason for such removal.
Impact and Challenges
The DPF significantly reduces compliance efforts for eligible organizations. United States companies evaluating DPF certification should consider the potential benefits of transatlantic data exchange against the likelihood of potential legal disputes. Despite its enhanced privacy safeguards, the DPF will likely face legal scrutiny, similar to its predecessors, as it strives to satisfy the European Union’s stringent data protection requirements. Max Schrems has already criticized the European Commission for issuing what he considers the same framework for the third time. Given Schrems’ objection to the DPF, companies must assess the long-term viability of DPF certification. If Schrems succeeds, companies will again rely on standard GDPR mechanisms for transatlantic data transfers.
United States companies may choose not to use the DPF or wait until the challenges posed by Schrems are resolved. These companies may continue to use the SCC’s and other GDPR mechanisms. Even without DPF certification, United States companies still benefit from the changes implemented in Executive Order 14086.
The authors wish to thank law clerk/summer associate Hannah Kent for her contributions to the article.
