Paul Voigt, Axel von dem Bussche and Alexander Schmalenberger look at the new EU-US adequacy decision for the Data Privacy Framework and at what that means for EU-US data transfers.
In the ever-evolving landscape of data privacy, the recently adopted EU-US Data Privacy Framework (DPF) marks a significant improvement for EU data exporters and US data importers alike. We shed light on this new framework, its key components, and its implications for businesses on both sides of the Atlantic.
The EU-US Data Privacy Framework is a landmark set of rules and binding safeguards that govern the transfer of personal data between the EU and the US. The European Commission adopted its adequacy decision on the DPF on 10 July 2023 and it came into force the same day. It confirms that the US provides an "adequate" level of protection for the data of individuals residing in the EU for those data recipients participating in the framework. This comes more than a thousand days after the ECJ’s 'Schrems II' ruling, which invalidated the predecessor regime EU-US Privacy Shield and left transatlantic data transfers in a regulatory quagmire.
The DPF is a significant victory for both small and medium-sized companies and large cloud and social media companies. It resolves the uncertainty about the legal basis for transatlantic data transfers, offering a less burdensome and complex alternative to other transfer mechanisms such as the Standard Contractual Clauses.
The completion of the DPF was a political challenge for both the US and the EU. Following the Schrems II decision, the US has made concessions regarding legal recourse possibilities for EU individuals and more proportionate data collection by surveillance agencies.
The new redress mechanism, which allows EU individuals to seek redress through their national authorities via the proposed Data Protection Review Court (DPRC), is a significant advancement. However, questions remain regarding the court’s independence and the transparency of the mechanism.
The DPRC is an executive body, not part of the judicial branch, which raises questions about its independence. Its role is to investigate and resolve complaints from Europeans, but its position within the executive branch could potentially influence its decisions, leading to concerns about impartiality.
In addition, the court is only allowed to give a simple decision, without confirming or denying that the complainant was subject to US signals intelligence activities. This approach raises further questions about the transparency of the mechanism. The complainants and the public may not fully understand the basis of the court's decisions, which could lead to a lack of trust in the process.
The effectiveness of the redress mechanism will largely depend on how it is implemented in practice. It remains to be seen how accessible the mechanism will be for EU individuals, how efficiently complaints will be processed, and whether the decisions of the DPRC will effectively remedy any violations of privacy rights.
Under President Biden's Executive Order (EO), the US made significant concessions to the EU by stipulating that access to EU data by US intelligence authorities should be limited to what is necessary and proportionate to protect national security.
However, the interpretation of terms like "necessary", "legitimate", and "(dis)proportionate", may vary between the EU and the US. For instance, what the US considers a "legitimate" national security objective might be viewed differently in the EU. Similarly, the US and EU might have different thresholds for what constitutes a "disproportionate" impact on privacy and civil liberties.
While the EO represents a significant step towards aligning US practices with EU standards, it is not yet clear whether it has resulted in an actual alignment of standards. This will depend on how the US implements these changes in practice, and how these practices are perceived and evaluated by the EU Commission and the ECJ.
We can expect ongoing dialogue and collaboration between the EU and the US to ensure the effective implementation of the DPF, however, uncertainties regarding the longevity of the framework will remain, not least because Max Schrems has already announced a legal challenge.
The DPF will simplify data transfers from the EU to certified data importers in the US However, due to uncertainties regarding the validity of the framework, many EU data exporters may prefer to additionally use other transfer mechanisms such as EU SCCs in conjunction with transfer impact assessments to “backup” the DPF certification.
The DPF does not automatically apply to any US company. As with the Privacy Shield, one of the key components is the self-certification process. This is designed to ensure that organizations adhere to the DPF principles and provide adequate protection for personal data transferred from the EU to the US.
The US Department of Commerce (DOC) will soon publish guidance for those currently participating in the EU-US Privacy Shield Framework to ensure a smooth transition to the Privacy Framework. According to its website, it considers the DPF to be immediately applicable to organisations that have self-certified their commitment to comply with the principles of the EU-US Privacy Shield Framework. They will need to update their references in their privacy policies from the EU-US Privacy Shield Framework to the DPF by 10 October 2023. The organisation's recertification deadline will not change. If an organization does not wish to commit to the DPF, it must declare its withdrawal.
To benefit from the EU-US Data Privacy Framework, an organization that were not committed to the EU-US Privacy Shield Framework must self-certify its adherence to the Principles with the DOC. This self-certification process involves submitting a detailed report by a corporate officer on behalf of the organization. This report must include:
On 11 July 2023, the US International Trade Administration confirmed that from 17 July 2023, US organisations may self-certify compliance to the EU-US DPF. On July 17, 2023, visit the Data Privacy Framework (DPF) program website to make initial self-certification submissions. The website will also provide a variety of guidance.
The DOC will maintain and make publicly available a list of organizations that have filed completed self-certification submissions and will update this list based on annual recertification submissions and notifications received. Organizations must recertify annually; otherwise, they will be removed from the list, and the benefits of the DPF will no longer apply.
An organization that wishes to withdraw from the DPF must notify the DOC in advance and indicate what it will do with the personal data it received in reliance on the Framework. If the organization chooses to retain the data, it must either affirm its commitment to continue to apply the Principles to the data or provide “adequate” protection for the data by other authorized means.
An organization that will cease to exist as a separate legal entity due to a change in corporate status must notify the DOC in advance. The notification should indicate whether the resulting entity will continue to participate in the DPF, self-certify as a new participant, or put in place other safeguards.
If an organization leaves the DPF for any reason, it must remove all statements implying that it continues to participate in the Framework or is entitled to its benefits. Any misrepresentation concerning an organization's adherence to the Principles may be actionable by the FTC, DOT, or other relevant government bodies.
As we continue to navigate the evolving landscape of data privacy, it is crucial for organizations to stay informed and proactive. The new DPF presents both opportunities and challenges, and understanding its implications is key to ensuring compliance and leveraging its benefits.
Remember, the journey to data privacy compliance is ongoing. As the DPF takes effect, it's more important than ever to stay informed, proactive, and prepared. If you have any questions or need further clarification on any points, feel free to reach out to us.
All in all, the DPF and the EU adequacy decision will facilitate frictionless data flows for EU businesses looking to export personal data to the USA and for US importers, with UK and EEA country organisations also likely to benefit shortly. Read more about the UK perspective on the DPF here.
Analysis of the ECJ rulings in the proceedings Natsionalna agentsia za prihotide (C-340/21) and Municipality of Ummendorf (C-456/22) of 14 December 2023