13/07/2023 - After years of political back-and-forth since Schrems II, on July 10th, the European Commission (‘EC’) adopted its adequacy decision regarding the EU-U.S. Data Privacy Framework (‘DPF’). According to the decision, the United States (‘US’) guarantees an adequate level of protection, comparable to that of the EU. With the adoption, the transfer of personal data from the EU to US companies participating in the DPF can occur securely, without the need for additional safeguards. Yet, the adequacy decision is contentious; both the European Parliament (‘EP’) and European Data Protection Board (‘EDPB’) previously criticised the DPF, highlighting its pitfalls in providing actual comparable protection of EU individuals when it comes to personal data protection overseas. Read our blog below to learn about what you should know about this development and what the practical consequences are for your organisation.
“With the adoption of the adequacy decision, personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorisations.”, stated EU justice Commissioner Didier Reynders during a press conference announcing the adoption of the US adequacy decision on July 10th. EC President Ursula von der Leyen reiterated this sentiment by stating that, “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.” Such sentiments are understandable considering it has been almost three years since the European Court of Justice (‘CJEU’) invalidated the previous mechanism, the EU-US Data Protection Shield (‘Privacy Shield 2.0’). The stakes are high, as the US Secretary of Commerce Gina Raimondo, the EC’s American counterpart in administering and monitoring the DPF, highlighted yesterday, “Trans-Atlantic data flows underpin more than $1 trillion in cross-border trade and investment per year and create greater economic opportunities for companies and citizens on both sides of the Atlantic.”.
Background
One cannot escape the fact that the process leading up to the EC decision was marred with criticisms and commentary from both public and private actors. Looking back, the first major development was in March 2022 when the US and the EC announced an “agreement in-principle” for a transatlantic framework on data transfers. This was followed by Executive Order 14086 (‘EO’), signed by US President Joe Biden in October 2022, which enacted the guarantees outlined in the “agreement in-principle,” with a specific focus on implementing safeguards against the surveillance of personal data belonging to EU residents by US intelligence agencies and ensuring the protection of such data.
Just before Christmas 2022, the EC published a draft adequacy decision in reaction to the EO, in a first step towards the adoption of the final decision. Giving their non-binding opinion on the draft, the EDPB issued its Opinion 5/2023 which welcomed the improvements brought forward by the DPF but remained concerned regarding the bulk personal data collection of US signal intelligence agencies, as well as the practical functioning of the DPF redress mechanism and the scope of exemptions. The EP also opined through its Resolution against the adoption of the adequacy decision in early May 2023, expressing concerns about the continued bulk collection of data, as well as the lack of effective legal remedy for EU citizens. All of this led to this week where the EC, largely in disregard of these concerns, formally adopted the final version of the DPF. It is also important to note that the adequacy is with EEA relevance, meaning that that any reference to the EU in the decision also refers to the EEA.
The EC marches on
The EC voiced its opinion on the DPF clearly — “The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access.”. According to the decision, the DPRC will have the authority to order the deletion of data if it determines that the data was collected in violation of the new safeguards. This is intended to ensure stronger enforcement and protection for EU individuals. Moreover, the new safeguards pertaining to government access to personal data will complement the obligations that US companies importing data from the EU will be required to adhere to.
First, EU individuals will have access to various avenues for redress in cases where their personal data is misused by US companies, i.e., in cases of DPF organisations’ noncompliance with the DPF Principles. These avenues include independent dispute resolution mechanisms that will be available free of charge to EU individuals and an arbitration panel to provide further recourse for resolving privacy-related disputes. Further, in case of complaints from EU individuals concerning the activities of US signal intelligence agencies, the DPF introduces a two-step process. An individual must first lodge their complaint to their national data protection authority (‘DPA’), who will then channel the complaint to the redress mechanism. Any complaints against US intelligence agencies will be then investigated by the Civil Liberties Protection Officer (‘CLPO’) of the US intelligence community who is responsible for ensuring compliance by the agencies with privacy and fundamental rights. The decisions of the CLPO may be appealed before the DPRC, both by individuals and any element of the US intelligence community within 60 days of receiving notification of a finalised CLPO review of the complaint.
Concerns remain?
Commissioner Reynders suggested during the press conference that the EU listened closely to the feedback in order to finalise the framework which would ensure “full compliance with the conditions set in the ruling of the EU’s highest court.”. The extent to which this statement is accurate is questionable. First, there are little to no changes to the way the DPRC is positioned or functions in comparison to the draft adequacy decision. On one hand, it is certainly welcoming that individuals do not need to prove that their data has in fact been subject to US signals intelligence activities and can simply submit a complaint to their DPA who will handle the subsequent procedure through the EPDB. However, the CLPO, who will handle the complaint on the US side, then only informs the complainant (through the DPA) whether the review did not identify any violations, or a violation was found and remedied, without any further details about the decision being communicated. The complainant then has the right to appeal to the DPRC, which will take a final binding decision on the complaint, however, it will do so without sharing further details about its decision, due to the confidential nature thereof.
Furthermore, the concerning issue with the bulk collection of personal data by US intelligence agencies does not seem to have been resolved, despite apparent vouches by the US intelligence community. When invalidating the Privacy Shield 2.0, the CJEU found the bulk surveillance not to be proportionate with Art. 52 CFR. The new EO rightly introduces the concepts of necessity and proportionality, however, one may argue whether they sufficiently correspond to the EU’s understanding of those concepts. Lastly, in its opinion the EDPB voiced concern that the DPF Principles remained identical to the invalidated Privacy Shield 2.0. and are accompanied with a lack of clarity regarding key definitions and their application. Overall, one should not turn a blind eye to the remaining concerns which were not fully addressed in the final DPF.
So, what should organisations do now?
Despite the remaining concerns, the DPF is – for the moment – here to stay. As such, it is important for organisations to understand what this means for them. A crucial note to remember is that the adequacy decision applies only to transatlantic data transfers that are made to US-based organisations who participate in the DPF. This is different from other adequacy decisions, which do not require active participation through a self-certification mechanism. We have described a number of scenario’s below:
If you are a US-based organisation looking to become DPF certified
US-based organisations that want to rely on the DPF for importing personal data from the EU should take the appropriate steps to self-certify under the DPF. This is mainly done by ensuring that their organisation's Privacy Policy conforms to the DPF Principles, by way of updating their Privacy Notice to reflect their commitment to the DPF and through identifying an independent recourse mechanism. To support organisations, the U.S. Department of Commerce’s International Trade Administration has published a website to ease the self-certifying process. Costs for certifying range from $250 to $3,250 annually.
Organisations that complete the self-certification will be added to the Data Privacy Framework List and will be required to re-certify annually. Lastly, when relying on the DPF, organisations do not need to perform a Data Transfer Impact Assessments (‘DTIA’).
If you are a US-based organisation that was certified under the previous mechanism
US-based organisations that self-certified their commitment to comply with the previous EU-U.S. Privacy Shield Framework Principles and have maintained such certification, must now comply with the DPF Principles, including by updating their Privacy Notices by October 10, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the DPF and may begin relying immediately on the DPF to receive personal data from the EU.
If you are an EU-based organisation transferring personal data to the US
For EU-based organisations that wish to export personal data to the US based, the following steps should be assessed:
- Verify whether the US-based organisation to which you intend to export personal data is listed on the Data Privacy Framework List as a DPF participant;
- If the organisation is a DPF participant, you are free to transfer personal data to the US-based organisation without taking additional steps. You do not need to conduct a DTIA.
- If the organisation is not a DPF participant, the data transfer must rely on another GDPR data transfer mechanism, such as Standard Contractual Clauses (‘SCCs’) or Binding Corporate Rules (‘BCRs’). Note that in this case, you will have to complete a DTIA in addition to your chosen data transfer mechanism. In your DTIA, you are advised to refer to the EC’s positive assessment of US laws and practices. The EC states that all the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of SCCs and BCRs.
For most organisations doing business across the Atlantic, the new DPF is a welcome development. Whether it will be challenged before the CJEU and how it will actually safeguard transatlantic data transfers in practice, is yet to be seen. Considerati will continue to monitor these developments. Should you require support with becoming DPF certified or with your data transfers to the US, do not hesitate to contact us.
