On July 10, 2023, the European Commission officially adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (“DPF”), concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. organisations participating in the EU-U.S. Data Privacy Framework.[1] This allows EU organizations to freely transfer personal data that is subject to the GDPR to participating organizations in the U.S.
This is the third adequacy decision adopted by the European Commission with regards to data transfers to the U.S., with the previous two adequacy decisions (with respect to the “U.S.-EU Safe Harbour” and the “EU-U.S. Privacy Shield”) having been invalidated by the Court of Justice of the European Union (“CJEU”).[2]
EU-U.S. Data Privacy Framework
The adoption of this adequacy decision marks the last step in the process to replace the EU-U.S. Privacy Shield, which was previously invalidated by the CJEU in its Schrems II decision, with the new DPF. Having entered into force on July 11, 2023, the new DPF is touted by the European Commission as introducing “new binding safeguards to address all the concerns raised by the [CJEU]”, allowing “personal data [to] flow safely from the EU to the U.S. companies participating in the [DPF], without having to put in place additional data protection safeguards.”
Accordingly, to the extent personal data is transferred to U.S. organisations participating in the DPF, data exporters and importers no longer need to provide an appropriate safeguard as set forth in Article 46 of the GDPR (e.g. standard contractual clauses or binding corporate rules), or rely on a derogation under Article 49 of the GDPR.
Similar to the EU-U.S. Privacy Shield, the DPF is based on a system of certification and the adequacy decision relates only to data transfers from the EU to U.S. organisations who are certified under the DPF. Underpinning the DPF is a set of privacy principles issued by the U.S. Department of Commerce – the ‘EU-U.S. Data Privacy Framework Principles’ (“DPF Principles”) – with which the certified U.S. organisations will need to comply. These DPF Principles generally correspond with those principles set out in the GDPR itself, including relating to ‘Notice’, ‘Choice’, ‘Accountability for Onward Transfer’, ‘Security’, ‘Data Integrity and Purpose Limitation’, ‘Access’, and ‘Recourse, Enforcement and Liability’, with additional supplemental principles for specific types of data (such as sensitive data and human resources data).
In order to be eligible for certification under the DPF, the U.S. organisation must be subject to the investigatory and enforcement powers of the Federal Trade Commission or the U.S. Department of Transportation. U.S. organisations who wish to participate in the DPF must self-certify that they will comply with the DPF Principles, make their privacy policies available and fully implement them. Once the U.S. Department of Commerce verifies that the U.S. organisation meet all certification requirements, such U.S. organisation will be added to a publicly available “Data Privacy Framework List”.
One of the concerns raised by the CJEU in its Schrems II decision that the DPF attempts to resolve is in relation to the access and use by U.S. public authorities of EU data for national security purposes. In particular, the CJEU in Schrems II noted that Section 702 of the Foreign Intelligence Surveillance Act implements surveillance programmes that do not “correlate to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strict necessary” and that it does not grant “data subjects rights actionable in the courts against the U.S. authorities, from which it follows that data subjects have no right to an effective remedy.”
In this regard, the European Commission considered that the U.S., in implementing the DPF, has issued Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence (“EO 14086”), setting limitations and safeguards for all U.S. signals intelligence activities. In particular, EO 14086 requires that appropriate safeguards must be in place to ensure that privacy and civil liberties are integral considerations in the planning of any signals intelligence activities, which may only be carried out “following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority” and only conducted “to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorised.”
EO 14086 establishes a specific redress mechanism for EU individuals with regards to alleged violations of U.S. law governing signals intelligence activities that adversely affect their privacy and civil liberties interests – the Civil Liberties Protection Officer and, most notably, the Data Protection Review Court (“DPRC”). The Civil Liberties Protection Officer is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights. Individuals will also have the possibility to appeal the decision of the Civil Liberties Protection Officer before the DPRC.
All countries in the European Economic Area (“EEA”) have been designated “qualifying states”, and the DPRC is available as a redress mechanism for any individuals from the EEA. As a result, and on the basis of “the limitations, safeguards and redress mechanism established by EO 14086”, the European Commission considered that the concerns raised by the CJEU in Schrems II in this regard have been sufficiently addressed.
Implications for EEA data exporters transferring data to the U.S.
The DPF is envisaged by the European Commission and the U.S. government to provide organisations transferring personal data between the EEA and the U.S. with legal certainty. That said, EEA data exporters should bear in mind the following when transferring data to the U.S.:
1. The adequacy decision only applies in relation to the DPF. EEA data exporters will only benefit from this adequacy decision if they are transferring data to U.S. organisations certified under the DPF. Any data transfers to other U.S. organisations not certified will still need to be subject to additional appropriate safeguard (e.g. standard contractual clauses or binding corporate rules) unless a derogation under Article 49 GDPR applies.
2. The adequacy decision will likely be challenged before the CJEU. For as long as the adequacy decision adopted in relation to the DPF is not invalidated by the CJEU, EEA data exporters will be in compliance with the GDPR when transferring data to U.S. organisations certified under the DPF. EU national data protection supervisory authorities are bound by this adequacy decision, and will not be able to challenge the data transferred pursuant to the DPF. However, critics and privacy advocacy groups have already publicly stated that they will challenge the validity of this adequacy decision before the CJEU. If the adequacy decision and the DPF were to be invalidated by the CJEU, EU data exporters may need to immediately stop the transfer of any data pursuant to the DPF[3] until additional appropriate safeguards are put in place. Accordingly, as a fallback, EEA data exporters may, in addition to relying on the DPF, consider having in place additional appropriate safeguards (e.g. standard contractual clauses or binding corporate rules) and agree with the importers that such safeguards would automatically take effect if and when the DPF is invalidated.
3. Certain types of data fall outside the scope of the DPF, and additional obligations may apply to some data. Generally, the DPF applies to any personal data transferred from the EEA. However, the adequacy decision makes clear that data that is “collected for publication, broadcast or other forms of public communication of journalistic material and information in previously published material disseminated from media archives” cannot be transferred on the basis of the DPF. In addition, certain types of data, such as human resources data, are subject to supplemental principles which require the U.S. organization to commit to additional obligations. EEA data exporters must ensure that the U.S. organization to whom data is being transferred have committed and can comply with these additional obligations. For instance, where human resources data is involved, the U.S. organization must commit to cooperate with the competent EU data protection authority if there are any complaints from the relevant employees.
4. The safeguards under the DPF could still be taken into account in Transfer Impact Assessments (“TIA”) even where the DPF is not relied upon to transfer data to the U.S. EEA data exporters can reference and rely on this adequacy decision when undertaking the TIA as required under the standard contractual clauses or binding corporate rules. This means that, even if an EEA data exporter cannot, or chooses not to, transfer data to the U.S. pursuant to the DPF, this adequacy decision could still prove helpful for other data transfers to the US. In particular, EEA data exporters can take into account the European Commission’s finding that EO 14086 sufficiently addresses the concerns raised in Schrems II with regards to the U.S. surveillance programme.[4] However, whether this means that data exporters and importers would no longer need to put in place any supplementary measures (i.e., to bring the level of data protection in the U.S. to the standard required by the EU law) is not clear from the DPF.
What’s next?
The adequacy decision for the DPF will be subject to periodic reviews. In the European Commission’s press release regarding the adoption of the adequacy decision for the DPF, it noted that “the first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.”
As noted above, critics and privacy advocacy groups have already publicly stated that they will challenge the validity of this adequacy decision before the CJEU. There may remain a degree of legal uncertainty until the CJEU provides its ruling either way. While this adequacy decision relates only to personal data subject to the GDPR being transferred from the EEA to the U.S., the UK and the U.S. are currently working to agree an extension to the DPF such that it would also encompass personal data subject to the UK GDPR being transferred from the UK. While the timeline for this is unclear, it is likely that this will be put in place in the next few months.
[1] The text of the adequacy decision can be accessed from here.
[2] See our blog post here for details on the Schrems II judgment.
[3] The CJEU invalidated the EU-U.S. Privacy Shield with immediate effect in Schrems II without any grace period, and this may similarly be the case if the CJEU were to invalidate the DPF.
[4] The Schrems II judgment held that, where parties rely on standard contractual clauses to export EU data, such clauses must be supplemented with appropriate (technical, organizational and contractual) measures where the data is exported to a jurisdiction that does not afford a level of protection that is essentially equivalent to those afforded under the EU law.