On July 10, 1962, NASA launched Telstar 1, the first active communications satellite linking Europe and the United States through live television transmission. Sixty-one years later, on July 10, 2023, the European Commission announced that it had adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF), the third attempt at creating a bridge across the Atlantic for transferring personal data from the European Union to the United States. The DPF re-establishes a popular legal mechanism for permitting personal data flows between these two major economic players, potentially alleviating business concerns for many while also addressing concerns about how U.S. intelligence agencies handle Europeans’ personal information. This long-awaited decision has been met with cautious optimism, and most companies should carefully consider whether and how to use this newly approved personal data transfer mechanism.
Here are some common questions we’ve heard and what we know so far. At the bottom of this post, we have provided links to resources for additional information.
1. What is the DPF? What does it do? What doesn’t it do?
An adequacy decision is one mechanism permitted under the European Union’s General Data Protection Regulation (GDPR) to safeguard personal data transferred out of the European Economic Area (EEA). Typically, adequacy decisions are issued for an entire country or jurisdiction (for example, Japan and the Faroe Islands), thereby allowing personal data to flow freely to that jurisdiction. The DPF functions differently in that it does not grant adequacy to the United States as a whole, but rather applies to public or private organizations that choose to participate in the DPF. Organizations that self-certify to the DPF can lawfully transfer personal data from the EEA to the United States without adopting other safeguards. The DPF does not cover personal data transfers to any other jurisdiction.
2. What does my company have to do to participate in the DPF? Is it different than what was required for the Privacy Shield Framework?
U.S. companies will self-certify (and annually recertify) to the DPF, which requires compliance with a detailed set of privacy obligations and public representations. The DPF is administered by the Department of Commerce and enforced by the Federal Trade Commission (FTC). It is anticipated that the certification process for the DPF will be similar to the Privacy Shield Framework. The DPF obligations on companies are largely the same, and available FAQs state that the DPF “will not create new substantive obligations for participating organizations with regards to protecting EU personal data.” The major changes under the DPF primarily affect the U.S. government’s access to data and related obligations, which were key points of contention underpinning the invalidation of the Safe Harbor and Privacy Shield Frameworks. The FTC actively pursued companies that falsely certified compliance with the Privacy Shield Framework, and we should expect the agency to pursue false DPF certifications with similar (if not increased) interest, so a company should not casually self-certify before confirming it has met the DPF’s requirements.
3. Will the DPF be invalidated like its predecessors, the Safe Harbor and Privacy Shield Frameworks?
The DPF will almost certainly be challenged. Max Schrems and noyb have long foreshadowed that they would challenge the DPF if it were to be adopted. On July 10, 2023, noyb’s press release about the DPF included a statement that they have a challenge ready to be filed. Schrems is quoted in the press release as saying, “We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong.” (Us too, Max.) As to any decision on the legality of the DPF, that is harder to predict. The DPF has been criticized by various parties throughout the adequacy decision process, and it is an open question, despite assurances from the United States, whether the U.S. has gone far enough to address the EU’s concerns about government surveillance and individual redress.
The European Commission is also monitoring developments in the United States on an ongoing basis and will review the DPF next year, which could lead to changes to the DPF or even withdrawal of the adequacy decision.
4. Since Schrems II, my company has relied on EU Standard Contractual Clauses (SCCs) as our personal data transfer mechanism. Do we need to certify to the Data Privacy Framework? Should we?
No company is required to use the DPF, and it may not be the right choice for many companies. The SCCs remain a valid transfer mechanism under the GDPR, and there are many reasons to keep using them. In addition, changes implemented by the United States during the negotiation of the DPF can benefit U.S. companies processing EEA personal data even if they do not participate in the DPF. For example, the new restrictions on the U.S. government’s use of signals intelligence under Executive Order 14086 apply regardless of the transfer mechanism used and may be relied upon in a company’s transfer impact assessment when using SCCs.
That said, some companies may want to participate in the DPF for practical or business reasons. For example, the DPF could replace their reliance on SCCs for routine types of personal data flows, or help build trust with European clients who might find comfort in the required public statement of adherence to DPF principles. In some circumstances, compliance with the DPF principles may be easier for some companies than compliance with the contractual obligations imposed by the SCCs.
Remember, too, that other options exist; binding corporate rules or permitted derogations may be preferable alternatives, for instance. You can even leverage a variety of transfer mechanisms within the same company – for example, the DPF for intra-company personal data flows and SCCs for onward transfers to vendors. Depending on the specific situation, many companies can benefit from varied uses of the personal data transfer mechanisms permitted under the EU’s GDPR for different relationships or types of personal data.
5. If my company has maintained its certification to the Privacy Shield Framework, will that transfer over to the DPF or facilitate the certification process?
U.S. Secretary of Commerce Gina Raimondo issued a statement on July 10, 2023, indicating that the Department of Commerce will be reaching out to companies participating in the EU-U.S. Privacy Shield Framework to facilitate their transition to the DPF. Based on existing FAQs, companies already participating in the Privacy Shield Framework will need to continue to comply with the privacy principles as amended by the DPF, and recertify annually. Additionally, companies already participating in the Privacy Shield Framework will need to update privacy policies and other documentation by October 10, 2023, to replace references to the Privacy Shield and make any other necessary amendments to refer to the DPF and its principles.
6. Can the DPF be used to cover personal data transfers from the United Kingdom or Switzerland?
The United Kingdom is working to establish its own agreement with the United States to aid data transfers through an extension of the DPF to the United Kingdom. An agreement in principle on the establishment of this so-called “data bridge” was reached in early June 2023. The United Kingdom’s press release states that the data bridge is a “key deliverable for UK-U.S. data flows in 2023,” so we generally anticipate that the U.S. and UK will conclude this agreement quickly, especially now that the European Commission has adopted the DPF adequacy decision.
Switzerland previously adopted its own version of the Privacy Shield Framework, so we generally anticipate that it will similarly adopt the DPF. Switzerland has usually followed the EU with respect to personal data transfers and invalidated the Swiss-U.S. Privacy Shield Framework less than two months after the European Court of Justice invalidated the EU-U.S. Privacy Shield. Switzerland also permits the use of the EU’s SCCs with modifications. However, the revised Swiss Federal Act on Data Protection, which comes into effect September 1, 2023, may add to the considerations Switzerland is weighing before signing on to a new adequacy framework.
[View source.]
