On July 10, 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”), ushering in a new era of transatlantic data flows. Key points:
- Companies can now transfer EU GDPR-regulated personal data to companies certified under the DPF without using the Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”).
- Current active members of the EU-U.S. Privacy Shield are automatically members of the DPF and must revise their privacy policies to reflect this fact within three months.
- Transfers of EU GDPR-regulated data to DPF participants do not require transfer impact assessments (“TIAs”). TIAs still are required for use of SCCs or BCRs, but the changes to U.S. law recognized by the adequacy decision mean that, in practice, the perceived deficiencies in U.S. law that led to invalidation of the Privacy Shield and to the recent record fine against Meta for reliance on the SCCs should not normally prevent those TIAs from concluding that transfers to the U.S. will receive sufficient protection. (Max Schrems begs to differ.)
Adequacy Decision
The adequacy decision finds that, due to the changes to U.S. law discussed in the Background section below, the U.S. ensures a level of protection comparable to that of the EU for personal data transferred under the DPF. The changes are not sufficient on their own (i.e., they are insufficient to justify an unqualified determination that the U.S. legal system provides adequate protection) because the U.S. lacks a national data protection law similar to the EU General Data Protection Regulation (“GDPR”). The DPF Principles supplement this by requiring participating companies to implement EU-inspired protections in their handling of covered personal data that closely follow the requirements of the now-defunct Privacy Shield (as we’ve covered here).
Substantively, the biggest difference between the DPF Principles and the Privacy Shield Principles is that DPF participants must update their privacy policies to refer to the DPF rather than the Privacy Shield. Most other changes are procedural – for example, some additional details are required for self-certification and additional notice is required to withdraw.
Companies transferring EU GDPR-regulated personal data to DPF participants in the United States need not rely on another transfer mechanism, such as the SCCs, to protect data that is within the scope of the recipient’s DPF certification. Current active Privacy Shield members are automatically certified under the DPF and required to comply unless they formally withdraw. They do not need to file a certification until their previously scheduled Privacy Shield recertification date. A company seeking first-time certification must implement the DPF Principles, publicly declare its commitment to these Principles, post a compliant privacy policy, and certify its compliance with the Principles to the U.S. Department of Commerce. A new DPF website run by the Department will provide more information when it goes live on July 17, 2023, per an Advisory on the Privacy Shield website.
As we’ve previously discussed, the adequacy decision is also important for companies that continue to transfer data under the SCCs or BCRs. The EC’s finding that Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”) and Executive Order 12333 no longer stand in the way of adequacy means that these laws and the practices thereunder no longer undermine the rights and freedoms of EEA individuals whose data is transferred to the U.S., as they were held to do in the Schrems II decision. Companies can take this into account when preparing transfer impact assessments.
The Future of Data Transfers?
Max Schrems’ organization NOYB has already announced its intention to challenge the DPF, just as it challenged the Privacy Shield and the Safe Harbor before it. However, European Commissioner for Justice Didier Reynders remarked during an EC press conference that the EC is “very confident” in the DPF and ready to defend it. Given the significant changes to U.S. law underlying the DPF, perhaps this framework will have more staying power than its predecessors.
Background
First proposed on March 25, 2022, the DPF is grounded in two major U.S. legal changes that were set in motion last October by Executive Order 14086 (the “EO”). These changes address the findings in the Schrems II decision that, in the court’s view, the U.S. government (1) disproportionately collected signals intelligence data under FISA 702 and Executive Order 12333 and (2) lacked effective redress for EU citizens affected by these activities.
As we’ve previously covered, the EO placed new limits on U.S. signals intelligence activities aimed at ensuring these activities are necessary and proportionate. On July 3, 2023, the Office of the Director of National Intelligence (“ODNI”), in coordination the U.S. Intelligence Community, released policies and procedures implementing the required safeguards.
The EO also created a two-step redress process whereby individuals in “qualifying states” can submit complaints related to U.S. signals intelligence activities to a newly created office in the ODNI, which determines whether the complaints allege legal violations. Complainants can have these determinations reviewed by a new Data Protection Review Court within the Department of Justice (“DOJ”), as established by DOJ regulations. On June 30, 2023, the U.S. Attorney General conditionally designated the EEA member states as “qualifying states”. This designation became effective with the EC’s adoption of the DPF adequacy decision, enabling EEA individuals to avail themselves of the redress mechanism.
