Businesses transferring personal data from the EU to the US will welcome news that the European Commission has approved the long-awaited EU-US Data Privacy Framework (the DPF). This blog post gives an overview of what the DPF is, how it works, and the implications for US and EU businesses. Additionally, we look at the implications for UK businesses.
What is the DPF?
The EU (and wider European Economic Area (EEA) restricts the transfers of personal data to countries it regards as providing an inadequate level of data protection. However, the European Commission may recognise a country as providing an adequate level of protection by way of a formal procedure and grant a so-called ‘adequacy decision’ for facilitating the transfer of personal data to recipients based in such country. In practice, cross-border transfers of data are essential for the global economy and especially so in the context of the economies of the EU and US. The US and the EU are each other’s most important commercial partners for digitally-enabled services, with EU-US data flows estimated to underpin more than US$1 trillion in annual cross-border trade and investment.
On 10 July 2023, the European Commission adopted its adequacy decision for the DPF. The DPF is a new mechanism negotiated between the EU and the US over the past three years to allow the transfer of personal data from the EU (and EEA) to eligible US companies that choose to participate in the DPF. The DPF replaces the prior Privacy Shield program, which was invalidated by the Court of Justice of the European Union (CJEU) in July 2020 in its landmark ‘Schrems II’ decision. In turn, the Privacy Shield program replaced the earlier Safe Harbor program, which similarly had been invalidated by the CJEU in October 2015. The invalidation of the Privacy Shield program created uncertainty and challenges for transatlantic transfers of personal data. While other mechanisms to transfer personal data in line with EU/EEA requirements to the US remained available, such as the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), the Privacy Shield program was popular as a dependable and straightforward mechanism that only required an eligible US company to self-certify and comply with the Privacy Shield Principles.
In invalidating the Privacy Shield program, the CJEU had expressed concerns about the scope and proportionality of US government surveillance activities, and the level of recourse available to EU individuals to object to such activities. In order to help establish the new DPF, the US government recently confirmed that it had implemented a number of reforms aimed at addressing those concerns, including enhanced safeguards relating to its intelligence gathering activities and new redress mechanisms for individuals in the EU/ EEA – see here for further background.
The new DPF promises a much simpler solution than relying on SCCs or BCRs. For example, SCCs are complex provisions that must always be explicitly agreed between the parties and BCRs require a prior approval from the competent supervisory authority. Furthermore, organisations using SCCs and BCRs must also undertake a transfer impact assessment (TIA) to check if the personal data being transferred is sufficiently protected in the specific circumstances to the standards required by EU law. In comparison, the DPF provides a more streamlined, principles-based approach to data transfers.
How does the DPF work and what should US companies consider in deciding whether to self-certify to the DPF?
Like the previous Privacy Shield, the DPF will only allow the transfer of personal data to certain in-scope US companies that have self-certified to the DPF. The DPF is therefore far narrower than most other adequacy decisions that allow personal data to generally be transferred to a certain country without requiring any action from the data recipients. That difference reflects that the US does not have a general uniform data protection law comparable to the EU’s General Data Protection Regulation (GDPR).
The DPF will only apply to transfers to US companies fulfilling certain prerequisites. In particular, the US company must:
- be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the US Department of Transportation (DoT);
- self-certify under the DPF by publicly committing to comply with the EU-US Data Privacy Framework Principles issued by the US Department of Commerce (Principles), which are derived from and expand upon the prior EU-US Privacy Shield Principles;
- disclose privacy policies in line with the Principles; and
- have fully implemented the Principles, and perform regular internal or external verifications of its compliance with the Principles.
As part of its self-certification, a US company will need to submit certain information to the US Department of Commerce to request to be placed on the DPF list. The US company will then need to re-certify itself on an annual basis. The Department of Commerce will administer and monitor self-certified US companies regarding compliance with the DPF requirements, including via random spot checks. The FTC and DoT will be responsible for potential enforcement action.
Similar to the prior EU-US Privacy Shield Principles, the Principles are based on certain core GDPR principles, although they are not identical to GDPR. These include principles related to notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, and recourse, as well as requirements for undertaking assessments to verify compliance. In certain cases, US companies that have self-certified to the DPF are also required to cooperate with European supervisory authorities.
What is the position of organizations that maintained Privacy Shield certification and when can organizations apply to join the DPF?
The US Department of Commerce has confirmed that US based organizations that continued to self-certify their commitment to comply with the Privacy Shield framework principles must comply with the EU-US DPF Principles, including by updating their privacy policies by 10 October 2023, or withdraw in accordance with relevant procedures. Further information on how such organizations can transition to the DPF is available here.
On 17 July 2023 a DPF program website (www.dataprivacyframework.gov) will launch to enable US-based organizations to make initial self-certification submissions for the DPF.
What should EU companies consider in deciding whether to rely on the DPF?
The DPF is the third attempt to establish a streamlined data mechanism to facilitate transfers of personal data from the EU to US. Max Schrems, who led the successful challenges to the previous two EU-US transfer mechanisms, has already vowed to challenge the DPF. Schrems’ privacy advocacy group has stated that the challenge may come before the CJEU by early 2024, and is likely to include a request for the CJEU to suspend the DPF at an earlier stage of proceedings.
Although both the European Commission and US government representatives have been optimistic about the chances of the DPF surviving an expected legal challenge, at this stage it is unclear whether it will. The European Commission will review the DPF within one year after the entry into force (and then periodically thereafter) and may, in theory, adapt or even withdraw it in light of developments affecting the level of protection in the US.
Just as the DPF offers a more streamlined data transfer mechanism for participating US companies, it also offers a more streamlined option for EU organisations transferring personal data to participating US companies. EU organisations simply need to ensure that the US organisation has self-certified to the DPF, and will not need to enter into additional contractual instruments (such as SCCs) or conduct TIAs on transfers made under the DPF due to its adequacy decision. Given the above-mentioned uncertainties, however, EU businesses may still prefer to continue to use SCCs or BCRs for their EU-US personal data transfers, or wish to rely primarily on the DPF with back-up arrangements that would cause SCCs or BCRs to kick-in if the DPF is invalidated in the future.
What are the implications under UK data protection laws?
Like the EU/EEA, UK data protection laws restrict cross-border transfers of personal data to countries that the UK does not view as providing an adequate level of data protection, currently still including the US.
The Privacy Shield was also invalidated as a mechanism for transfers of personal data to the US under the UK’s post-Brexit data protection regime and the new DPF will only address transfers of personal data to the US under EU law and not apply under UK law. However, the UK government is separately working with the US on potential transatlantic ‘data bridge’, which has been described as an ‘extension’ to the DPF mechanism.
From 17 July 2023 eligible US organizations that wish to self-certify their compliance pursuant to that anticipated UK extension to the DPF may do so. However, organizations may not begin relying on the proposed UK extension to send or receive personal data transfers from the UK before the date that the UK’s adequacy regulations implementing the data bridge extension for the UK enters into force. According to the US Department of Commerce, organizations that wish to participate in the UK extension to the DPF must also participate in the EU-US DPF.
Conclusion
The DPF offers a more streamlined and flexible approach for transfers of personal data from the EU to the US. While legal challenge to the DPF seems inevitable, the DPF does offer substantive additional protections beyond the predecessor Privacy Shield program, and companies may find the DPF to be a helpful additional tool in managing cross-border data transfers from the EU to the US.
