EU-U.S. Data Privacy Framework: European Commission takes third bite at the adequacy cherry

Background

By issuing an adequacy decision, the EC has the power to determine whether recipient jurisdictions outside the EU offer an adequate level of data protection. Under Article 45 GDPR, data transfers covered by the scope of such adequacy decision are permitted without further legal safeguards being necessary (e.g., the EC’s Standard Contractual Clauses (SCC), or Binding Corporate Rules (BCR)).

The EC’s adoption of its adequacy decision on the DPF marks the third chapter in the history of frameworks for lawful trans-Atlantic data transfers, following the Court of Justice of the European Union’s (CJEU) invalidations of predecessor adequacy decisions covering the “Safe Harbor” and “Privacy Shield” frameworks. In both cases, the CJEU found that potential for U.S. Government “bulk” surveillance of EU data subjects whose personal data had been transferred to the U.S. was incompatible with EU law.

Due to the importance for business of data transfers between the EU and the U.S., the EC and the U.S. Government agreed in principle on this new trans-Atlantic agreement in a joint statement on 25 March 2022, which advised the U.S. Government’s commitments to reforming its intelligence-gathering surveillance practices would be promulgated through an Executive Order (EO).

The new DPF adequacy decision was therefore possible after the White House issued EO 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) on 7 October 2022, which established principles-based safeguards governing intelligence-gathering practices focused on the EU-law concepts of necessity and proportionality. According to EO 14086, members of the U.S. intelligence community must consider these principles before engaging in surveillance activities. It also established a two-layer judicial redress mechanism that individuals can use to challenge alleged violations of the principles (see our prior coverage, here).

A draft adequacy decision by the EC in December 2022 was followed by the positive opinion on 6 July 2023 of the EU comitology committee that voted in favor of the DPF with a majority of 24 out of 27 Member States. This provided the required qualified majority for the EC to adopt the DPF.

Summary of the adequacy decision

In Article 1 of its adequacy decision, the EC concludes that the U.S. ensures an adequate level of protection for personal data transferred from the EU to organizations in the U.S. that certified compliance to the “EU-U.S. Data Privacy Framework Principles” (DPF Principles) and are included in the “Data Privacy Framework List,” which will be maintained and made publicly available by the U.S. Department of Commerce.

As with Privacy Shield and Safe Harbor before it, the DPF adequacy finding applies only to trans-Atlantic data transfers made pursuant to the DPF and not to all transfers to U.S. recipients. That said, the EC adequacy decision helps overcome the specific concerns regarding access to EU personal data by U.S. government agencies—as the U.S. intelligence-gathering reforms also will apply to investigations of data transferred under mechanisms such as SCC or BCR—and so transfers under those mechanisms also will be able to benefit from the reasoning of the adequacy decision.

The EC highlights that the DPF introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For its determination of the adequacy of data transfers under the DPF, the EC assesses in detail the changes introduced under EO 14086 and concludes that the new binding safeguards address all the concerns raised in the CJEU’s Schrems II judgment:

• With regard to U.S. Government access to personal data, the EC finds that U.S. law contains various limitations and safeguards with respect to the access and use of personal data for criminal law enforcement purposes and national security purposes, and provides oversight and redress mechanisms limiting access to EU data by the U.S. Intelligence Community to what is necessary and proportionate. The EC points out that the U.S. Intelligence Community on 3 July 2023 adopted various policies and procedures that concern several U.S. agencies such as the Central Intelligence Agency (CIA), the Federal Bureau Of Investigation (FBI), the National Security Agency (NSA), and the Department of Homeland Security (DHS), which implement EO 14086’s safeguards addressing the concerns of the CJEU.
• With regard to the required options for judicial redress, the EC concludes that the newly established Data Protection Review Court (DPRC) is an independent tribunal to which EU individuals will have access. The EC points out that this new redress mechanism is effectively available to individuals in the EEA, as the EU and Iceland, Lichtenstein, and Norway were added as ”Qualifying States” by the U.S. Attorney General on 30 June 2023.

The functioning of the DPF will be subject to periodic reviews carried out by the EC, together with representatives of European data protection authorities (DPAs) and competent U.S. authorities. Under Article 3 of the adequacy decision, the EC must continuously monitor the application of the DPF. Where the EC has indications that an adequate level of protection is no longer ensured, it will inform the competent U.S. authorities, and, if necessary, may decide to suspend, amend or repeal the adequacy decision or limit its scope. The first review will take place in July 2024 in order to verify that all relevant elements of Executive Order 14086 have been fully implemented and are functioning effectively in practice.

Self-certification mechanism

Recipients in the U.S. that want to use the DPF must self-certify their adherence to the DPF Principles. The DPF Principles are an updated and further substantiated version of the principles established under the Privacy Shield framework. Organizations that were already certified under the Privacy Shield framework are well positioned to also self-certify under the DPF.

To join the DPF, an eligible organization must develop a conforming privacy policy, identify an independent recourse mechanism, and self-certify through the website provided by the U.S. Department of Commerce, accessible at https://www.dataprivacyframework.gov/s/.

A list of certified companies is also provided on the DPF website, so that EU-based data exporters can easily check whether a U.S. data importer benefits from the protections under the DPF adequacy decision.

Impact on companies

The DPF is a powerful mechanism that will play an important role in practice to facilitate EU-U.S. data flows. But, given the invalidations of the predecessor frameworks (“Safe Harbor” and “Privacy Shield”), there likely will remain some concerns about the DPF from some voices in the legal landscape. However, the EC’s adequacy decision is binding, which means that EU DPAs must accept the adequacy decision as creating a valid mechanism for trans-Atlantic data transfers in compliance with Chapter V GDPR without the need to obtain any further authorization. Where a national DPA questions the compatibility of the adequacy decision with the fundamental rights of an individual to privacy and data protection (such as upon a complaint from a data subject), the DPA can explore the legal remedies under national law to put those objections before a national court. National courts may be required to make a reference for a preliminary ruling to the CJEU.

For EU-based data exporters, it is important to note that while the adequacy decision focuses on EU-U.S. data flows where the data importer in the U.S. is certified under the DPF, exporters relying on other mechanisms will need to reassess the way in which the procedures adopted by the U.S. Intelligence Community may positively affect the safeguards provided by those mechanisms. In summary, companies involved in EU-U.S. data transfers should take the following steps:

• Data importers in the U.S. that would like to benefit from the safeguards of the DPF should take steps to self-certify under DPF and comply with the DPF Principles. The commitment to comply with the DPF Principles must be reflected in the privacy notices of such participating U.S. data importers that are seeking to self-certify, and in any event no later than three months from the effective date for the DPF Principles. Companies already certified under Privacy Shield likely will be contacted by the U.S. Department of Commerce with regard to next steps for a possible re-certification under the DPF, and any revisions to their privacy notices to account for the DPF Principles.
• Data exporters in the EU that want to transfer EU personal data under the DPF adequacy decision need to check prior to the transfer on the DPF website whether the recipient in the U.S. is certified under DPF and whether the relevant data transfers is covered by such certification. To the extent data exporters rely on DPF as legal basis for the transfer, the relevant information in the data exporter’s privacy notice under Art. 13 and 14 GDPR to EU data subjects will need to be updated. EU data exporters may have reasons to also rely on the SCC and BCR (especially if these are already in place). In such scenarios, data exporters should take into account the impact of the adequacy decision on the existing data access regime in the U.S. and its impact on the existing SCCs and/or BCR.
• A Transfer Impact Assessment (TIA) for EU-U.S. data transfers will technically not be needed for transfers covered by the DPF, as the DPF adequacy decision replaces the adequacy assessment in the TIA. However, existing TIAs (e.g. prepared under Clause 14 SCC) should be reconsidered to account for the changes to U.S. surveillance laws. It is also important to note that TIAs will still be necessary for transfers not covered by the DPF, whether to the U.S. or other third countries.

Authored by: Eduardo Ustaran, Henrik Hanssen, Julie Schwartz, Bret Cohen, and Julian Flamant.