On July 10, 2023, the European Commission adopted with immediate effect an adequacy decision for the EU-U.S. Data Privacy Framework (the “DPF”). The decision enables businesses in Europe to transfer personal data to DPF-certified U.S. businesses without having to implement additional data protection safeguards.
In this Debevoise Data Blog post, we explain the DPF’s scope and operation, discuss implications for other GDPR data transfer mechanisms such as Standard Contractual Clauses (“SCCs”), and where things stand in the United Kingdom and Switzerland.
Our key takeaways are:
- For businesses in the U.S., the decision whether to certify or to continue to use alternative transfer mechanisms, such as the SCCs, will turn on whether the business is eligible to certify and client / third party-expectations. As with the DPF’s predecessor Privacy Shield, we expect that certification may not be right for all business.
- For businesses in Europe, no immediate action is needed. However, businesses should expect counterparties to begin moving away from SCCs where they are certified under DPF, and records of processing activities may need to be updated to reflect the new basis for future data transfers.
Background to the decision: an uneasy status quo
Under the General Data Protection Regulation (“GDPR”), a business in Europe is prohibited from sending personal data outside Europe unless permitted under the GDPR. Such transfers are permitted where, for example:
- an adequacy decision has been issued confirming the jurisdiction of the data recipient provides essentially equivalent protection to the GDPR;
- the transferring parties have appropriate safeguards in place, such as SCCs or Binding Corporate Rules (“BCRs”); or
- an exception applies, such as the transfer is necessary for the performance of a contract.
The DPF is the third U.S. adequacy decision in recent years. The first, under the “Safe Harbor” framework, was invalidated by the EU Court of Justice (the “CJEU”) in the 2015 Schrems I judgment. The second, under the “Privacy Shield” framework, was invalidated by the CJEU in the 2020 Schrems II judgment (see our blogposts on Schrems II here and here).
In Schrems II, the CJEU found that U.S. surveillance laws were too permissive to satisfy the core requirements for an adequacy decision, and found issue with the lack of judicial redress for improper surveillance. Schrems II, however, concluded that SCCs can be used for EU-U.S. data transfers, subject to the requirements that “additional safeguards” are put in place to ensure an essentially equivalent level of data protection. The transferring party determines in a data transfer impact assessment what measures are required to meet this standard. But even companies implementing the SCCs and the supplementary measures found themselves subject to regulatory scrutiny if the measures fell short of the CJEU requirements (see, e.g., the 1.2 billion fine for Meta in May 2023).
Accordingly, the European Commission and the Biden Administration worked toward this third adequacy decision, the foundation for which was laid on October 7, 2022 with the Biden Administration’s Executive Order 14086 (discussed in our blogpost here). EO 14086 responds to the concerns of Schrems II, requiring U.S. intelligence collection to be narrowly tailored, necessary and proportional to certain legitimate objectives, as well as implementing oversight mechanisms through a new Data Protection Review Court to investigate and resolve complaints by European data subjects regarding access by US national security authorities to their transferred data.
DPF certification requirements and process
Like Privacy Shield, a U.S. business is eligible for self-certification with the Department of Commerce if it is subject to the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation. This limitation on scope is important because it may, for example, exclude certain U.S. financial institutions and NGOs from certifying.
Self-certification is voluntary and requires businesses to commit to seven primary “privacy principles” and sixteen supplemental privacy principles issued by the Department of Commerce. These broadly mirror GDPR. Certification also triggers a number of other obligations, including an obligation to update the business’s privacy notice.
Once certified, compliance with the Principles can be enforced under U.S. law. Data subjects may lodge complaints through both U.S.- or EU-based recourse mechanisms. This may include bringing a complaint directly to the businesses or its designated independent dispute resolution body, an EU data protection authority, or to the Department of Commerce or Federal Trade Commission. Where complaints have not been adequately resolved through these routes, the data subject can choose to invoke binding arbitration by a specially-created panel, administered by the International Centre for Dispute Resolution.
U.S. businesses that wish to self-certify for the first time must submit a self-certification to the Department of Commerce and can rely on the transfer mechanism once placed on the Data Privacy Framework List. If a business is already Privacy Shield certified, it can rely immediately on the EU adequacy decision with the Shield date remaining applicable for the purposes of annual re-certification.
More information about the certification process is available on the Department of Commerce, International Trade Association’s dedicated website (www.dataprovacyframework.gov), including a helpful FAQ. The website also lists certified businesses.
UK and Swiss Data Transfers to the U.S.
Alongside the DPF, the U.S. agreed substantially similar data protection frameworks for the United Kingdom and Switzerland to streamline transfers from those jurisdictions.
If a U.S. business is self-certified to the EU-U.S. DPF it can also self-certify to a UK Extension to facilitate data transfers from the UK and Gibraltar. The UK Extension still awaits the UK adequacy decision to become a valid transfer mechanism. Parties transferring personal data from Switzerland to the U.S. will likewise be able to rely on a standalone Swiss-U.S. DPF once Switzerland has issued its adequacy decision.
The Department of Commerce website has information about the UK Extension (available here) and the Swiss-U.S. DPF (available here and here), including the status of the forthcoming adequacy decisions.
What businesses can do now
Europe’s adequacy decision adds considerable legal certainty to the transatlantic transfer of personal data.
While the DPF does not impact the ability of businesses to continue to rely on SCCs and BCRs, businesses may wish to consider whether to self-certify under the DPF and, in due course, the UK and Swiss frameworks. Considerations for businesses include:
- whether certification is available to the entity as an FTC or Department of Transport regulated business;
- client and third-party expectations that the business obtain certification, given its more prescriptive requirements;
- appetite for potential expanded FTC scrutiny; and
- compliance burden.
Existing Privacy Shield participants should update their privacy policies by October 10, 2023, include the required DPF disclosures or take steps to withdraw from the DPF.
Next steps: Schrems III?
The Commission will periodically review the adequacy decision with the initial review scheduled for one year from now. It will likely focus on whether the U.S. application of proportionality in the context of surveillance in practice aligns with the CJEU’s expectationsin the Schrems II decision.
It remains to be seen whether the DPF will be able to hold up to the judicial and political challenges it faces. In May 2023, the European Parliament shared similar concerns in a declaration stating that U.S. remediations since Schrems II were inadequate. The Commission responded to key concerns about the DPF in an FAQ published alongside the adequacy decision. Further, on the same day the adequacy decision was adopted, Max Schrems, the plaintiff in both Schrems I and Schrems II, expressed his readiness to file a legal challenge against this adequacy decision as early as this year, citing in part a concern about proportionality in the context of surveillance. In the meantime though, the DPF stands and is available to use.
To subscribe to our Data Blog, please click here.