On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF replaces the Privacy Shield Framework (Privacy Shield) which was invalidated by the Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020. Effective immediately, the new adequacy decision allows personal data to flow from the European Economic Area (EEA) to DPF-certified US companies without the need for additional data protection safeguards.
In a manner comparable to its predecessors, Privacy Shield and the EU-U.S. Safe Harbor Framework (Safe Harbor), the DPF enables certified companies that make legally binding commitments to comply with the DPF Principles (contained in Annex I to the adequacy decision) to receive personal data from the EEA without having to rely on EU-approved transfer mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) and to conduct Transfer Impact Assessments (TIAs). The European Commission has concluded that the United States (US) ensures an adequate level of protection, comparable to that of the European Union (EU), for personal data transferred from the EU to US companies under the new DPF.
For the nearly 3,000 companies that have maintained their Privacy Shield certifications since the Schrems II decision, the new adequacy decision should permit them to avail themselves of the updated DPF relatively quickly. Companies not currently certified would need to start the DPF certification process from scratch.
Any US organization that is subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may certify under the new DPF. While the FTC has broad authority over companies engaged in commerce, it does not have jurisdiction over, among others, non-profits, most depository institutions (banks, federal credit unions, and savings & loan institutions), and common carriers. In addition, the FTC’s jurisdiction with regard to insurance activities is limited to certain circumstances. Organisations that are ineligible or prefer not to rely on the DPF will still need to use SCCs, BCRs, or another transfer mechanism and carry out TIAs.
The European Commission has stated that the DPF introduces “significant improvements compared to the mechanism that existed under the Privacy Shield”. An essential element of the US legal framework on which the adequacy decision is based concerns the Executive Order 14086 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (EO). In particular, the EO directed US government agencies to take steps to implement several commitments, including:
- Additional safeguards to limit US intelligence authorities’ access to personal data to what is necessary and proportionate to protect national security,
- Enhanced oversight of US intelligence services’ activities to ensure compliance with limitations on surveillance activities, and
- Redress mechanisms, including establishment of the Data Protection Review Court (DPRC) to which EEA individuals will have access. DPRC decisions regarding violations of applicable US law (and appropriate remediation) are legally binding and the DPRC will select a special advocate in each case to advocate on behalf of the complainant.
Notwithstanding the European Commission’s assertion that the binding safeguards implemented pursuant to the EO “address all the concerns raised by the European Court of Justice,” the DPF is expected to be contested. Max Schrems’ privacy organisation, NOYB, which led the previous legal challenges to both Privacy Shield and Safe Harbor, has already announced that it will also challenge the DPF. Characterizing it as “largely a copy of the failed ‘Privacy Shield,’” NOYB claims that “there is little change in US law or the approach taken by the EU” and that “[t]he fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights.” Given the previous invalidations of Privacy Shield and Safe Harbor by the CJEU, the long-term durability of the DPF remains a concern.
For DPF-eligible organisations, the adequacy decision will significantly ease their compliance burdens. To participate in the DPF, they must certify through the new DPF website maintained by the U.S. Department of Commerce.
For those that are ineligible to certify under the DPF (i.e. not subject to FTC or DOT jurisdiction), SCCs and BCRs will likely remain the default transfer mechanisms. As they are not covered by the DPF, such organizations will still need to conduct TIAs, although the changes to US surveillance laws under the EO should simplify the TIA process.
The functioning of the DPF will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.
The first review will take place within a year of the entry into force of the adequacy decision, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.
For further information, please contact your usual DLA Piper lawyer.