On 10 July, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (the DP Framework). It thereby declared that the United States (the US) ensures an adequate level of protection for personal data transferred from the EU to US companies that have self-certified their adherence to the DP Framework Principles. More broadly, the DP Framework will significantly reduce the challenges faced by EU organisations transferring personal data to the US, at least for the time being.
A change in US law
Important changes in US law preceded the adequacy decisions and the Commission noted that Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (the EO), which was issued on 7 October 2022, was a “particularly important element” of the legal framework assessed.
In particular, the adequacy decision includes a detailed explanation and assessment of: (i) the principles-based conditions, limitations and safeguards in the EO that govern all signals intelligence activities (which are key to meeting the “necessity and proportionality” requirements) and (ii) the new redress mechanism that the EO establishes. It was deficiencies in these areas under the old US legal regime that led to the Court of Justice of the European Union previously invalidating the EU-US Privacy Shield in the Schrems II decision back in 2020.
On 30 June 2023 the European Union was designated as a “qualifying state” (which was a condition for the redress mechanism to apply to EU residents) and updated policies and procedures to implement the EO were adopted by all US intelligence agencies on 3 July 2023.
These changes in US law apply to all transfers of personal data to the US from a “qualifying state” and not just transfers to importers who have certified their compliance with the DP Framework principles.
Application of the decision
As with Safe Harbour and Privacy Shield that came before, the adequacy decision does not fully legitimise all EU-to-US data transfers. Instead, its full benefit will only apply to the transfer of EU personal data to US organisations that have certified compliance with a set of DP Framework principles and are included on the “Data Privacy Framework List”, which will be maintained and made public by the US Department of Commerce. The website for self-certifying (www.dataprivacyframework.gov) will be launched on 17 July 2023.
The DP Framework principles themselves are updated versions of the Privacy Shield principles, and in a statement on 11 July (the DOC Statement), the US Department of Commerce noted that organisations who maintained their Privacy Shield certification will need to comply with the DP Framework Principles by 10 October 2023 (including by updating their privacy policies), but will not otherwise need to make a self-certification submission if they wish to participate in the DP Framework. Organizations that have not maintained their Privacy Shield certification or are otherwise new to the process, will need to complete the self-certification on the website above, starting 17 July 2023.
The DP Framework provides a framework whereby transfers to certified US companies can occur without any further authorisations or safeguards. However, the Commission’s favourable assessment of the changes in US laws set out in the adequacy decision will also be helpful to organisations relying on other export mechanisms – such as the standard contractual clauses and BCRs – to transfer personal data to the US due to the positive effect it will have on the transfer impact assessments that organisations must undertake when relying on these other export mechanisms.
Monitoring and review of the decision
The adequacy decision will be subject to periodical review by the Commission to check “whether the findings relating to the adequacy of the level of protection ensured by the United States under the EU-US DP Framework are still factually and legally justified”. The first review will take place within a year of its entry into force. After that, the frequency of future reviews will be determined by the Commission in close consultation with European data protection authorities.
Following a review (which will encompass an assessment of all aspects of the adequacy decision, including the implementation and application of the EO safeguards in practice) the Commission will prepare a public report. If issues identified in a review are not addressed by US authorities, the Commission will be able to partially or completely suspend or repeal the adequacy decision or subject data transfers under it to further conditions.
At the press conference announcing the adoption of the DP Framework, Didier Reynders stressed that the DP Framework is “substantially different” to the EU-US Privacy Shield. However, privacy activists disagree, with Max Schrems’ organisation, NOYB, stating that it will challenge the decision and that it expects to be back at the CJEU “by the beginning of next year”.
Does it apply to the UK?
For now, the DP Framework does not apply to the UK because the UK has not yet adopted its own adequacy decision in relation to the DP Framework. However, the DOC Statement states that, from 17 July 2023, US companies will be able to self-certify their compliance pursuant to the “UK Extension” to the EU-US DP Framework. Companies can rely on this UK extension to legitimise UK to US transfers once the UK has implemented regulations implementing the UK-US data bridge.
The Swiss-US DP Framework will come into effect on 17 July 2023. Similarly to the UK, the Swiss-US DP Framework-certified US companies will only be able to rely on the Swiss-US DP Framework after the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S enters into force.
Organisations have already been bitten twice by the invalidation of the DP Framework’s predecessors, Safe Harbour and the EU-US Privacy Shield, in the Schrems I and II decisions. Both these decisions triggered very time-consuming and costly repapering exercises and so we expect organisations on both sides of the Atlantic to be reluctant to rely on the DP Framework alone without, at the very least, an obligation on the importer and exporter to enter into Standard Contractual Clauses and conduct an appropriate Transfer Impact Assessment if a challenge to the DP Framework is ultimately successful.
Irrespective of this, the adequacy decision remains a very helpful and welcome development for all EU organisations transferring personal data to the US because it provides a positive assessment of changes to the controls on US bulk surveillance powers, which will be an important aspect to enabling organisations to conclude positive transfer impact assessments in relation to their EU-US transfers.