On 13 December 2022, the European Commission issued a draft adequacy decision concluding that the EU-US Data Privacy Framework provides an adequate level of protection for personal data transferred from EU to US companies. Approved by the US following President Joe Biden’s executive order in October 2022, the framework is designed to enable the sharing of data between the EU and the US without the need for additional safeguards or measures.
Why is this important?
This is good news for all organisations that transfer personal data from the EU to the US – in particular, the 5,300+ multinational companies that previously relied on the Privacy Shield regime for EU-US data transfers before it was invalidated by Schrems II in July 2020. The new framework directly addresses the issues raised in Schrems II through restrictions on US national security data collection methods, and a redress mechanism for EU citizens in the event of an alleged privacy violation, including a newly created Data Protection Review Court.
What is the process?
Before companies can rely on the framework, the draft decision must go through the EU’s four-step adoption procedure, which is already underway and will proceed as follows:
What are the next steps?
The EDPB will now review the draft decision and issue a nonbinding decision, after which the European Commission will need to obtain the approval of the EU member state representatives (55% of whom, representing at least 65% of the EU population, must approve it). Once that is done, the European Commission can issue its final, binding decision on whether to formally adopt the draft decision.
There is no set deadline for this process, and the European Parliament and the Council of the European Union could delay it at any stage with a request to amend or withdraw the draft decision. It is, however, estimated that the European Commission will make its final decision within six months (i.e., by late spring or early summer 2023).
What would formal adoption of the framework mean?
Formal adoption of the draft decision by the European Commission would mean that personal data received via the framework would be subject to ‘essentially equivalent’ protection to that of the EU. The US must then accept the EU as a ‘qualifying state’ under the framework. Importantly, before personal data could safely flow from the EU to the US, organisations would have to self-certify their compliance with the detailed provisions of the framework, similar to the previous Safe Harbor and Privacy Shield regimes.
How should US companies prepare?
In order to make transfers under the framework, US companies will have to apply to the US Department of Commerce (DOC) to be added to the Data Privacy Framework List.
Whilst the draft decision is not final, and the system for administering the framework has yet to be set up, organisations intending to make use of the framework may choose to begin preparing for the self-certification process, which involves assimilating a wide range of information.
Examples of information required for the certification process (and subsequent annual recertification processes) include:
- The name of the organisation and any relevant US subsidiaries also covered.
- A description of the purposes for which the organisation will process personal data.
- The personal data that will be covered by the certification.
- A copy of the privacy policies relevant to personal data, including a statement in such privacy policies that the organisation adheres to the principles of the framework, and a link to the framework’s website.
- Contact details of relevant persons within the organisation.
- The name of any privacy programmes of which the organisation is a member.
- Relevant independent recourse methods in the event of a complaint.
In addition to the above, organisations must disclose the method of self-certification (e.g., self-assessment or outside compliance review). This will involve the organisation verifying the accuracy of the attestations made in the (re)certification application:
- If the organisation has self-assessed its compliance, it must demonstrate that its privacy policy is accurate, comprehensive, readily available, conforms to the framework and is implemented in its entirety.
- If the organisation has chosen an outside compliance review, the organisation can verify the aforementioned factors by way of, for example, audits, or use of technological tools. In each case, an authorised representative of the organisation must sign a statement verifying the assessment.
Organisations will only be placed on the Data Privacy Framework List once the DOC has determined that the self-certification submission is complete. Companies that voluntarily withdraw from self-certification, or that fail to re-certify annually or persistently fail to comply with the principles of the framework, will be removed from the Data Privacy Framework List.
Does the framework apply to UK companies?
The draft decision only affects the EU. However, the UK government welcomed the publication of the Biden’s executive order and issued a press release on the same day expressing interest in a similar adequacy framework between the UK and the US. We understand that the UK is now working to complete its adequacy assessment for a UK-US Data Privacy Framework.
As with the EU, the US also will have to accept the UK as a ‘qualifying state’ in order for the framework to apply. Until this process is complete, organisations should continue using the International Data Transfer Agreement or the Addendum to the EU Standard Contractual Clauses in order to transfer personal data to the US.
Will the framework be challenged?
EU law has developed since the Schrems II decision in July 2020. For example, in Joined Cases C-793/19 | SpaceNet and C-794/19 | Telekom Deutschland, the Court of Justice of the European Union stated some exceptions that may permit US surveillance authorities to retain, ‘generally and indiscriminately’, certain personal data for the purposes of safeguarding national security or combating serious crime.
Nevertheless, there is a strong possibility that the framework will be subject to a legal challenge through the courts. As Patrick Van Eecke, head of Cooley’s European cyber/data/privacy team, explained to Reuters, the framework is ‘like putting the Concorde in the air again’ because it’s ‘fast, smooth and easy’, but ‘you never know if it will be flying next year. So, use it when it is available, but make sure you have an alternative option which is air-ready if and when Concorde stops flying again’. Therefore, smart companies will have a fallback clause in the form of standard contract clauses in the event that the framework doesn’t survive a legal challenge. Watch this space for further developments.