Is third time the charm? European Commission adopts EU-US Data Privacy Framework for EU-US data transfers

On 10 July 2023, the European Commission completed its analysis of US law and practice concerning data protection, and has adopted its third adequacy decision in respect of the US. The Commission concluded that the US ensures an adequate level of protection for personal data transferred from a controller or a processor in the EU to certified commercial organisations in the US under the EU-U.S. Data Privacy Framework (DPF). 

Underpinning the adoption of the adequacy decision was the introduction of certain reforms to US national security and surveillance law (chiefly though US President Biden’s Executive Order 14086). These reforms provide for:

• binding safeguards which limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;

• enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and

• the establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to personal data by US national security authorities.

Where the US importer of the personal data is not a certified organisation under the DPF, alternative transfer mechanisms such as standard contractual clauses (SCCs) or other ‘appropriate safeguards’ remain necessary under Article 46 of the GDPR. It is advisable to continue using transfer risk assessments and necessary supplementary measures when undertaking transfers of personal data to the US. 

An adequacy decision does not require a finding of an identical level of data protection, but instead indicates whether the country in question guarantees a level of protection of personal data that is ‘essentially equivalent’ to the EU. The present adequacy decision concerning the EU-US DPF, which entered into effect on 10 July, will be subject periodic review, with the first review date in one year’s time. This will determine whether all relevant elements have been fully implemented and are functioning effectively in practice. 

Signing up to the DPF

To utilise the DPF for transfers of personal data from the EU to the US, the US-based data importing organization must self-certify its adherence to the DPF Principles to the US Department of Commerce. Annex I of the adequacy decision sets out the relevant principles (the Principles).

To be eligible to certify (or re-certify on an annual basis) under the DPF, an organisation must:

(a) be subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC) or the US Department of Transportation. Other US statutory bodies recognised by the EU may be included in the future;
(b) publicly declare its commitment to comply with the Principles, make its privacy policies available and fully implement them;
(c) publicly disclose its privacy policies in line with the Principles; and
(d) fully implement the Principles.

The US Department of Commerce has responsibility for administering and supervising the certification and re-certification processes. It will also maintain a public list of DPF participants (the DPF List). The DPF also empowers the Department of Commerce, the Department of Transportation or the FTC to take enforcement actions against organisations that fail to comply with the Principles. 

Across the Atlantic, the Department of Commerce has begun to issue guidance to US organisations that have maintained their certification under Privacy Shield or will seek to certify under the DPF for the first time. Measures have been announced for those with existing certification to transition to the DPF with immediate effect while further information on new applications for certification is expected in the coming days.

For EU-based organisations seeking to rely on the DPF, it is crucial they satisfy themselves that the US-based organisation appears on the DPF List (this website is not yet live). The European Data Protection Board has also announced its intention to issue further guidance for EU-based organisations on the DPF and its implications for them which should be taken into account once available. 

Likely challenge to EU-US DPF

Two previous frameworks for the transfer of personal data from the EU to the US, Safe Harbour and Privacy Shield (see our earlier report here), were invalidated by the Court of Justice of the European Union (CJEU) respectively in the Schrems I and Schrems II litigation. The CJEU found in both instances that the level of data protection was not essentially equivalent between the EU and US. The litigant in those earlier challenges, Max Schrems, has already announced his intention to challenge the DPF before the CJEU, arguing that it is largely just a replication of the Privacy Shield principles and fails to take into account various previously raised issues involving US surveillance practices. It remains to be seen how such a challenge would fare before the CJEU in light of the measures to enhance protections for data privacy introduced by Executive Order 14086. The DPF may therefore be vulnerable to legal uncertainty should such a challenge materialise to seek a third successive invalidation of EU-US adequacy measures.

SCCs remain available (and relevant)

It is important to note that transfers of personal data from the EU to the US will not automatically fall within the DPF and not all will be eligible (e.g. only organisations involved in commercial activities may pursue certification under the DPF but banks, airlines, insurers and, in certain circumstances, telecommunications providers are excluded). Organisations that do not or cannot self-certify under the DPF will need to continue using appropriate safeguards such as SCCs (subject to transfer risk assessments and any required supplementary measures) for the transfer of personal data to the US. The European Commission has emphasised that “another authorised means” to ensure adequate protection for transfers of personal data from the EU to the US is to have a contract that “fully reflects the requirements of the relevant standard contractual clauses adopted by the Commission.” 

The position involving transfers using SCCs has arguably been strengthened since Schrems II in light of the various protective measures relating to data privacy introduced by Executive Order 14086. Furthermore, there has been a recent indication by the US intelligence community that they will adopt policies and procedures pursuant to Executive Order 14086, which was noted by the European Commission in the adequacy decision. Transfer risk assessments (and associated supplementary measures) already undertaken for US transfers may now be revisited and updated in light of these reforms to US law and practice. 

Further regulatory and governmental guidance is expected over the coming weeks on the DPF for EU and US based organisations and how it will be implemented. We will continue to monitor and update our clients on the evolving implementation of the DPF. 

For further information or advice on how the recent judgment of the CJEU impacts upon your organisation, please contact Seán O’Donnell or Zelda Deasy or any other member of the ByrneWallace LLP Data Protection Team.