On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). The decision concluded that the United States does ensure an adequate level of protection for transferring personal data from the European Union to the United States. In this On the Subject, we analyze this impactful decision and highlight compliance obligations for US companies seeking to become DPF-certified.
EU-US CROSS-BORDER TRANSFER BACKGROUND
The DPF creates a lawful transatlantic framework that allows the free flow of data from the EU to DPF-certified companies located in the United States. It will no longer be necessary for these transferring entities to implement additional safeguards (e.g., binding corporate rules, the European Commission’s standard contractual clauses, industry-specific codes of conduct or EU certification mechanisms) to ensure that personal data continues to be protected under the General Data Protection Regulation (GDPR).
The adequacy decision is the result of lengthy negotiation between the Biden administration and the European Commission following the European Court of Justice’s Schrems I and Schrems II rulings, which invalidated prior frameworks for EU-to-US cross-border data transfers. In Schrems II, the European Court of Justice found that the now-invalidated Privacy Shield failed to provide Europeans with effective redress rights or adequate protection against interception of their data by US intelligence authorities. Following Schrems II, the United States took steps to implement additional protections addressing these concerns about US surveillance law, which included issuing Executive Order 14086 in late 2022, “Enhancing Safeguards for United States Signals Intelligence Activities.” These steps helped pave the way for approval by EU member states and final adoption by the European Commission.
The DPF includes provisions similar to those of its predecessors—such as purpose limitations, data retention requirements, data minimization, data security and data accuracy principles—but it also includes provisions designed to address the concerns raised by the European Court of Justice in Schrems I and II. Specifically, the DPF includes enhanced data protection safeguards, including limiting US intelligence services’ access to EU personal data to that which is necessary and proportionate. Potentially most significantly for EU individuals, the DPF also establishes the Data Protection Review Court, whose role is to “handle and resolve” EU individuals’ complaints regarding concerns over US intelligence activities related to their data.
The European Commission will carry out periodic reviews of the DPF together with representatives of the European Data Protection Authorities and the relevant US authorities. The first review will take place in 2024, as the DPF requires the first review to be completed within a year. Per the DPF, this first review should be designed to ensure that all relevant features of the DPF have been fully and effectively implemented as planned.
CERTIFICATION AND ENFORCEMENT PROCESS
The DPF will be administered by the US Department of Commerce, which will process certification applications and monitor whether participating companies continue to meet certification requirements. Compliance under the DPF will be enforced by the US Federal Trade Commission.
The US International Trade Administration has already launched a website dedicated to the DPF and allowing for self-certification. However, that website appears “under construction” and is not yet accepting applications.
In the meantime, the old Privacy Shield website provides a set of FAQs related to certification under the new DPF. While the DPF does “not create new substantive obligations for participating organizations” that were already subject to the Privacy Shield, there are certain important steps that companies must take, including:
Updating privacy policies to incorporate the new DPF terms in lieu of Privacy Shield terms
Ensuring that existing Privacy Shield certifications are brought up to date, including through recertification and paying the required fees.
US-based organizations that self-certified their commitment to comply with the Privacy Shield must comply with the DPF principles, including by updating their privacy policies by October 10, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the DPF and may begin relying immediately on the DPF.
Many companies may have let their Privacy Shield certifications lapse following the uncertainty created by Schrems II, so there is no better time to check those certifications. If a company was not previously certified under the Privacy Shield, there is work to do with respect to creating internal and external policies.
POSSIBLE SCHREMS III STILL TO COME
The European Commission’s adequacy decision eases the burden of global commerce for many businesses. However, the future of the DPF remains uncertain. Privacy advocacy organization NOYB, which challenged both the Safe Harbor and Privacy Shield in Schrems I and II, has already publicly stated that it will appeal the framework for being a substantial “copy” of the Privacy Shield and its predecessors that fails to address the same concerns related to “fundamental” surveillance issues. For instance, the organization argues that the DPF does nothing to provide non-US citizens with reasonable privacy protections afforded to US citizens under the Fourth Amendment of the US Constitution.
Despite the impending challenge to the DPF decision, many businesses may nonetheless consider certifying under DPF because the certification process could still reduce compliance and contractual burdens otherwise incurred during the appeal. Companies interested in evaluating the merits of DPF certification should contact the authors or their regular McDermott lawyer.