On July 10, 2023, the European Commission (“EC”) adopted its decision that the EU-U.S. Data Privacy Framework (“DPF”) offers an adequate level of protection for EU personal data (the “Adequacy Decision”), comparable to that provided under the EU General Data Protection Regulation (“GDPR”).[1] With this Adequacy Decision in place, U.S. companies that are certified under the DPF may lawfully transfer EU personal data to the U.S., without the need for additional safeguards.[2] It also eases the way for a “bridge” to the United Kingdom, which would extend the DPF to UK-to-U.S. transfers on the same basis.
This new transfer mechanism returns some level of legal certainty to personal data transfers, but potential legal pitfalls likely still lie head. In particular, NOYB—the consumer group that brought the successful legal challenges to the Safe Harbor[3] and Privacy Shield data protection frameworks[4]—signaled its intent to bring a challenge to the adequacy of the protections provided by the DPF.[5]
Background
Under GDPR, personal data may only be transferred from the European Economic Area to a third country, such as the United States, if that data is protected in the third country at an essentially equivalent level as provided under GDPR. GDPR identifies a number of mechanisms by which such transfers may lawfully occur, including on the basis of an EC adequacy decision, or subject to appropriate safeguards that ensure enforceable data subject rights and effective legal remedies to data subjects (e.g., via standard contractual clauses (“SCCs”)).[6]
The DPF is the third framework the United States and EU have negotiated in an effort to achieve a lasting adequacy decision—the European Court of Justice (“CJEU”) invalidated the first such framework, the Safe Harbor, in October 2015, and the second, the Privacy Shield, in July 2020. In both instances, privacy activist Maximilian Schrems successfully challenged the level of protection provided to EU data subjects under those frameworks. In particular, in its July 2020 Schrems II decision, the CJEU found that certain U.S. surveillance programs unduly infringed on EU data subject rights by not imposing proper limitations on data collection, nor offering sufficient opportunities for redress.[7]
In March 2022, President Joe Biden and EC President Ursula von der Leyen announced an agreement in principle on the DPF to foster transatlantic data flows and address the deficiencies identified by the CJEU in its Schrems II decision. To that end, on October 7, 2022, President Biden issued Executive Order (EO) 14086 to clarify the parameters within which the U.S. may engage in signals intelligence gathering activities, and to ensure appropriate safeguards to protect individuals’ privacy and civil liberties.[8] Pursuant to EO 14086, Attorney General Merrick Garland issued regulations to establish the Data Protection Review Court (“DPRC”), which is authorized to review qualifying complaints from data subjects.
The EU-U.S. Data Privacy Framework
The DPF builds on the self-certification process established under the Privacy Shield, while incorporating the new structures established under EO 14086 and the DPRC. Like the Privacy Shield, the DPF is overseen by the Department of Commerce (“DOC”) and is organized around a number of high-level principles, which are supplemented by further guidance on specific application and exceptions in certain contexts (collectively, the “Principles”), and which are substantively identical to the principles companies adhered to under the Privacy Shield.[9]
Administration
- To be eligible to participate in the DPF, a company must be subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) or the Department of Transportation (“DOT”), and must certify—and annually re-certify—to the DOC that it adheres to the Principles.
- Certification Process. The DPF certification process is broadly similar to that established under the Privacy Shield, whereby a participating organization submits information to the DOC—including its name, description of the types of personal data collected by the company and purpose(s) for which it is processed, the verification and relevant recourse mechanism to which it is subject, and the statutory body with jurisdiction to enforce compliance with the Principles (i.e., FTC or DOT).[10] The DOC maintains a dedicated website—which came online on July 17, 2023—through which companies may self-certify, and on which it will provide ongoing guidance and publish the list of participating companies (the “DPF List”).[11]
- The DOC will verify that participants meet all certification requirements. To that end, and “[b]uilding on the experience with the (re-)certification process under the Privacy Shield,”[12] the DOC will perform a number of checks to confirm that the company’s privacy notices accurately reflect its participation in the DPF and otherwise meet the certification requirements, and to verify that the company is subject to oversight (e.g., by the FTC), and is participating in an independent recourse mechanism, as identified in the company’s self-certification.[13] Upon certification, the company will be listed on the DPF List; from that point forward, the company may begin receiving EU personal data on the basis of its participation in the DPF.
- The DOC will conduct ongoing monitoring of participating companies, including random “spot checks” and ad hoc checks of specific companies when potential compliance issues arise. These are intended to confirm that the company’s point of contact for handling complaints is responsive, the privacy policy is readily available and complies with the certification requirements, and that the company’s chosen independent dispute resolution mechanism is available to handle complaints, among other issues.[14] Furthermore, if the DOC receives credible evidence that the participating company is not complying with its obligations, it may require the company to complete a “detailed questionnaire.” Failure to satisfactorily respond, or failure to respond in a timely manner, may result in a company’s referral to the relevant oversight authority for investigation and enforcement action, and a company that persistently fails to comply with the Principles will be removed from the DPF List.[15]
- A company that is certified under the DPF, which fails to comply with the Principles, or which falsely holds itself out as having certified under the DPF, may be liable under Section 5 of the FTC Act for violating the prohibition on unfair or deceptive acts or practices in or affecting commerce.[16] A participating company must publish any adverse finding or enforcement action on its website.
Key Takeaways & What Comes Next
Effective Date
The Adequacy Decision is effective as of July 10, 2023.
Companies may certify under the DPF starting on July 17, 2023, and may begin transferring data on the basis of the Adequacy Decision from the date the company is certified by the DOC and placed on the DPF List.
Companies currently certified under the Privacy Shield
Companies that maintained certification under the Privacy Shield following Schrems II will automatically be transitioned to the DPF. DOC guidance indicates that such companies will have a three-month grace period, until October 17, 2023, to begin applying the Principles and to update their relevant notices. A company would then certify under DPF on its regular, annual Privacy Shield recertification date.
Status of the SCCs
The Adequacy Decision does not affect the validity of the EU SCCs, which continue to be a lawful data transfer mechanism under GDPR. Any executed SCCs continue to be in force.
Effect of EO 14086 and the DPRC—Data Transfer Risk Assessments
The EC adopted the Adequacy Decision based on the implementation of EO 14086, finding that “taken as a whole, the oversight mechanisms and redress avenues in U.S. law enable infringements of the data protection rules to be identified and punished in practice and offer legal remedies to the data subject.”[17]
Regardless of the specific safeguards under which personal data may be transferred—i.e., whether under the DPF or SCCs—EO 14086 and the DPRC are in effect and, in the case of the latter, available as a redress mechanism to affected individuals. For companies not participating in the DPF, these mechanisms can be considered as factors in any data transfer risk assessment they conduct.
The UK-U.S. Data Bridge
On June 9, 2023, the U.S. and UK announced a commitment in principle to establish a “data bridge” for the flow of UK personal data to participating organizations in the United States. This will extend the DPF “subject to the UK’s data bridge assessment and further technical work being finalized” to cover data transfers under the UK GDPR, and is expected to be in place later this year. The DOC will issue further guidance on its DPF website regarding participation in the UK data bridge.
Legal Challenges to the DPF
NOYB called the efforts by the U.S. to implement surveillance limitations and redress mechanisms illusory, “magic tricks” and immediately declared its intent to challenge the adequacy of the DPF.[18] As with its predecessors, the Safe Harbor and the Privacy Shield, NOYB’s statements signal likely longer-term questions about the viability of the DPF as a lawful mechanism to transfer EU personal data.
Click here to download this article.
[1] Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection under the EU-US Data Privacy Framework, available here (hereinafter, the “Adequacy Decision”).
[2] Id., para. 8 (“This Decision has the effect that personal data transfers from controllers and processors in the Union to certified organizations in the United States may take place without the need to obtain any further authorisation.”).
[3] See Client Memorandum, European Court of Justice Declares EU-U.S. Safe Harbor Framework Invalid in a Landmark Decision – What to Do Now? (Oct. 7, 2015), available here.
[4] See Client Alert, Schrems II: Some Questions Answered, More Questions Raised (July 20, 2020), available here.
[5] See “European Commission Gives EU-US data transfers third round at CJEU,” NOYB (July 10, 2023) (hereinafter, “NOYB Statement”), available here.
[6] GDPR Arts. 44-46.
[7] Case C-311/18, Facebook Ireland and Schrems (Schrems II) ECLI:EU:C:2020:559, paras. 185, 197.
[8] EO 14086, Enhancing Safeguards for US Signals Intelligence Activities, 87 FR 62283 (Oct. 14, 2022), available here.
[9] The Principles, along with the supplements, are published by the Department of Commerce and attached as an annex to the Adequacy Decision. See Adequacy Decision Annex I.
[10] Id., at para 48.
[11] The Data Privacy Framework website is available here.
[12] Adequacy Decision, at para. 50.
[13] See id., at paras. 48-52.
[14] Id., at para. 53.
[15] Id., at para. 54.
[16] Id., at Annex I(III)(11)(f).
[17] Id., at para. 202; see also Id. at para. 204.
[18] NOYB Statement.
