Ed. Note: Thank you to Summer Associate Nicole Onderdonk for her significant contributions to this post.
On July 10, 2023, the European Commission (EC) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF, or “Privacy Framework”), which establishes the Privacy Framework as an authorized mechanism under the General Data Protection Regulation (GDPR) for personal data to be transferred freely from the European Union (EU) to United States (U.S.) companies, effective immediately.
The EU-U.S. DPF replaces the defunct EU-U.S. Privacy Shield Framework, ruled invalid as a transfer mechanism by the Court of Justice of the European Union (CJEU) in its July 2020 ruling in the Schrems II case. The new Privacy Framework introduces two binding safeguards that directly address concerns raised by the CJEU in Schrems II regarding U.S. intelligence agencies’ surveillance programs and appropriate redress for EU citizens who believe their data rights have been violated. Under the EU-U.S. DPF, the U.S. government has committed to (1) limiting U.S. intelligence agencies’ access to EU personal data (confining that access to only what is necessary and proportionate to protect national security); and (2) establishing an independent and impartial redress mechanism, including the new Data Protection Review Court (DPRC), to investigate and resolve complaints from Europeans regarding unlawful access to or use of their data by U.S. intelligence agencies.
As was the case under Privacy Shield, in order to rely on the EU-U.S. DPF for data transfers from the EU, a company must self-certify its adherence to certain privacy principles. The principles under the new framework—the EU-U.S. DPF Principles—and the self-certification process are generally the same as they had been under Privacy Shield. Nevertheless, the adequacy decision has several implications for U.S. companies that may require immediate or near-term action, in particular for companies that previously self-certified under Privacy Shield or would like to self-certify under the new framework.
The EU-U.S. DPF adequacy decision follows a nearly two-year effort by the EU and the U.S. to develop a Privacy Shield replacement following the Schrems II ruling. Schrems II had not been the first judicial setback for transatlantic data transfers. Prior to the adoption of GDPR in 2016, EU-U.S. data transfers were governed by the Safe Harbor Framework, negotiated in 2009 and in place until 2015. In October 2015, the CJEU invalidated Safe Harbor in its Schrems I ruling, lack of adequate protection for personal data from U.S. government interference for national security and public interest purposes. In July 2020, the CJEU invalidated Privacy Shield, which had attempted to address some of the concerns surrounding Safe Harbor, on similar grounds in its Schrems II ruling.
Following this defeat, in August 2020, the EU and the U.S. began initial discussions on the potential for a replacement privacy framework, acknowledging mutual interests in both protecting privacy and facilitating transatlantic economic relations. In March 2022, the parties reached an agreement in principle on a new framework. On October 7, 2022, President Biden issued Executive Order (E.O.) 14086, “Enhancing Safeguards for United States Signals Intelligence Activities,” that directed the implementation of the privacy and civil liberty safeguards for U.S. signals intelligence activities called for by the EU: limiting U.S. intelligence agencies’ access to EU personal data transferred to the U.S. and establishing an independent and impartial redress mechanism for Europeans alleging a violation of their data rights.
Pursuant to E.O. 14086, several departmental actions followed. First, the Department of Justice (DOJ) issued a regulation establishing the DPRC as the second level of the two-level independent redress mechanism for Europeans with complaints regarding U.S. intelligence agencies’ access to or use of personal data (the first level being Civil Liberties Protection Officers (CLPOs)). Next, on June 30, 2023, Attorney General Merrick Garland designated the EU and Iceland, Liechtenstein, and Norway (collectively the European Economic Area) as “qualifying states” for the purposes of individual’s filing “qualifying complaints” alleging certain violations of law by U.S. intelligence agencies. Finally, on July 3, 2023, the Office of the Director of National Intelligence (ODNI) confirmed that the U.S. intelligence community had adopted updated policies and procedures to limit access to EU personal data unless it is necessary and proportionate to protect a specific national security interest. On the same day, Secretary of Commerce Gina Raimondo issued a statement confirming that, through E.O. 14086, the departmental actions taken pursuant to it, and the updated EU-U.S. Data Privacy Framework Principles, the U.S. had fully implemented the agreed-upon privacy and civil liberty safeguards and had therefore fulfilled its commitments under the EU-U.S. DPF, paving the way for the EC to issue an adequacy decision. One week later on July 10, 2023, the EC adopted its adequacy decision, bringing the Privacy Framework into force.
The New Privacy Framework
In order to rely on the EU-U.S. DPF for personal data transfers from the EU, an organization must self-certify its adherence to the EU-U.S. DPF Principles issued by the DOC. To be eligible to self-certify, companies must be subject to the jurisdiction of the Federal Trade Commission (FTC), the U.S. Department of Transportation (DOT), or another statutory body that will ensure compliance with the Principles. Re-certification must be completed at least annually. The DOC maintains a publicly available list of certified organizations. An organization may be removed from the list if it fails to re-certify annually, if it persistently fails to comply with the Principles, or if it requests to withdraw from the program.
While the privacy obligations and procedures for U.S. companies under EU-U.S. DPF are generally the same as those under Privacy Shield, the adequacy decision nonetheless has implications that may require immediate or near-term action.
- Who Can Certify, and How?
With the new framework in force and Privacy Shield fully defunct, whether a company needs to take action will be determined by whether a company was previously self-certified under Privacy Shield and whether a company would like to self-certify under the new framework.
- Companies who previously self-certified under the Privacy Shield and do not wish to participate in the EU-U.S. DPF must follow the procedure for withdrawal referred to in Section III.6.f of the Principles. Companies must notify the DOC in advance and indicate what the company will do with the personal data that it received in reliance on the EU-U.S. DPF or prior privacy framework (e., retain, return, or delete the data; if retaining the data, specifying an alternative authorized mechanism for protecting the data is required).
The EU-U.S. DPF website went live on July 17 and enables U.S. companies to complete initial certification and re-certification submissions, as well as access resources and receive program updates. The new website will also be a source of information for the UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF, both of which are pending adequacy decisions from their respective national authorities and therefore cannot yet be relied upon for data transfers. The website replaces the resources and functionality previously available through the Privacy Shield website, which was taken offline on July 14.
- Companies have several additional obligations under the EU-U.S. DPF Principles.
While the Privacy Shield Principles and EU-U.S. DPF Principles are generally the same, there some specific differences that companies should be aware of.
First, unlike under the Privacy Shield, a transfer of key-coded medical or pharmaceutical research data that is considered personal data under EU law is now covered by the EU-U.S. DPF Principles, even if only the researcher holds the “key” to the dataset.
Second, the EU-U.S. DPF Principles include a few additional requirements for certified companies who change their corporate status, including: (a) notifying the DOC of the change in advance; and (b) indicating whether the company will (i) continue to participate in the EU-U.S. DPF through an existing self-certification, (ii) self-certify as a new participant, or (iii) implement other safeguards (e.g., a written agreement) to ensure continued adherence to the Principles with regard to any personal data the organization received while certified. If the company does not plan to pursue any of those options for protecting the data, any personal data received while certified must be returned or deleted.
- Cross-border transfer for certified organizations is greatly simplified
Post-Schrems II, U.S. companies that had relied on the Privacy Shield framework for EU to U.S. data transfers were forced to scramble to find new transfer mechanisms — namely Standard Contractual Clauses (SCCs) (although companies may have sought to implement Binding Corporate Rules or simply seek consent, if feasible). And the new SCCs that came into effect in 2022 required the use of Transfer Impact Assessments (TIAs) for transfers to the U.S.
The new Privacy Framework accomplishes two things: first, it obviates the need to have a separate transfer mechanism if an organization is certified. Second, it does away with the TIA requirement for any company in the U.S. In other words, so long as the DPF is valid, U.S. organizations have a much more simplified way of transferring data from the EU.
4. Other authorized data transfer mechanisms under GDPR are still valid.
An adequacy decision is only one of several authorized mechanisms under the GDPR by which a company may lawfully transfer personal data from the EU (and Norway, Liechtenstein and Iceland) to a non-EU country. Adequacy decisions are issued by the EC, which is responsible for assessing whether a non-EU country provides a level of protection for personal data essentially equivalent to that of the EU. Additional mechanisms for lawful transfers include standard contractual clauses (SCCs), which are model contract clauses pre-approved by the EC, and binding corporate rules (BCRs), which are data protection policies adhered to within a group of enterprises. The lawfulness of these mechanisms remains unchanged following the EU-U.S. DPF adequacy decision. However, the U.S. government’s compliance with the new privacy and civil liberty safeguards established under the EU-U.S. DPF applies to all personal data transfers, regardless of which authorized data transfer mechanism is used. This may prove beneficial to U.S. companies, even if they are not relying on the EU-U.S. DPF adequacy decision for their transatlantic data flows. For example, while transfer impact assessments (TIAs) will still be required when using SCCs or BCRs to transfer personal data from the EU to a non-EU country, the transaction costs associated with these transfers may decrease due to a company’s ability to rely on the EU-U.S. DPF adequacy decision for certain responses in TIA questionnaires.
Looking Forward: An Uncertain Future, or Should We Worry About Schrems III?
While the EU-U.S. DPF adequacy decision marks a significant step forward for stabilizing EU-U.S. data flows and related economic relations, uncertainty remains.
First, adequacy decisions may be adapted or withdrawn due to material developments affecting the level of protection in the non-EU country. The EU-U.S. DPF adequacy decision is subject periodic reviews by the EC and local European data protection authorities,(with the first review taking place within the first year), to assess whether all commitments under the EU-U.S. DPF have been fully implemented and are functioning effectively.
Second, based on the history of EU-U.S. privacy frameworks and the European courts, the EU-U.S. DPF is likely to be judicially challenged. And despite the European Parliament’s best attempts to “future proof” the framework and its resolution to issue the adequacy decision only if it was likely to be held up in court, it is unknown whether the EU-U.S. DPF addresses the concerns raised in Schrems I and Schrems II sufficiently enough to resist invalidation by the CJEU.
Third, the DOC, responsible for administering and monitoring the efficacy of the program, is authorized to make changes to the ensure the program’s compliance with the U.S. government’s commitments. In addition, while the FTC has historically been responsible for enforcing U.S. companies’ compliance with EU-U.S. privacy frameworks (including Safe Harbor and Privacy Shield), what enforcement will look like under the EU-U.S. DPF is not clearly prescribed.
In sum, while companies who self-certify can rely on the EU-U.S. adequacy decision for their transatlantic data transfers in today in the near term, other authorized transfer mechanisms (e.g., SCCs, BCRs) should remain at the forefront until the future of the EU-U.S. DPF becomes more certain.