On 10 July 2023, the European Commission adopted its adequacy decision concluding that the EU-US Data Privacy Framework provides an adequate level of protection for personal data transferred from the European Union (EU) to US companies. Approved by the US following President Joe Biden’s executive order in October 2022, the framework is designed to enable the sharing of personal data between the EU and the US without the need for additional data protection safeguards.
With immediate effect, the adequacy decision provides a new lawful basis for transatlantic data transfers from the EU to the US for organizations that certify under the EU-US Data Privacy Framework. European Commissioner for Justice Didier Reynders said that ‘personal data can now flow freely and safely from the European Economic Area to the United States’.
The decision comes just days after the US Department of Justice and the US Office of the Director of National Intelligence announced the completion of commitments under Biden’s executive order concerning the framework.
Why is this important?
The EU-US Data Privacy Framework is likely to be a key facilitator of the transatlantic data economy – i.e., new technologies such as artificial intelligence or cloud computing, as well as any other organization with a data-driven business model, such as pharmaceutical companies, that needs to process data on a global scale and rely on the free flow of data to drive its business.
The EU-US Data Privacy Framework is good news for all organizations that transfer personal data from the EU to the US – in particular, the 5,300+ multinational companies that previously relied on the Privacy Shield regime for EU-US data transfers before it was invalidated by the Court of Justice of the EU (CJEU) in its Schrems II decision in July 2020.
According to the European Commission, the EU-US Data Privacy Framework addresses the concerns raised by the CJEU in Schrems II, including with respect to access to EU data by US intelligence services. It also offers improved redress mechanisms if European citizens’ personal data is handled in a manner that infringes on the EU-US Data Privacy Framework, including through the newly created Data Protection Review Court.
The adequacy decision was preceded by substantial changes to US intelligence-gathering requirements that have cleared the path for transfers of EU personal data under all mechanisms recognized by the General Data Protection Regulation (GDPR).
What does formal adoption of the framework mean?
The formal adoption of the adequacy decision by the European Commission means that personal data received via the framework is subject to ‘essentially equivalent’ protection to that of the EU.
Self-certified organizations that adhere to the EU-US Data Privacy Framework Principles and commit to a set of privacy obligations can receive personal data without having to put in place additional transfer mechanisms and safeguards, such as the standard contractual clauses (SCCs) and supplementary measures.
Organizations currently self-certified under the EU-US Privacy Shield Framework will have access to a simplified procedure for self-certification under the EU-US Data Privacy Framework.
What should US companies do?
In order to make transfers under the framework, US organizations will have to apply to the US Department of Commerce (DOC) to be added to the Data Privacy Framework List. US organizations must therefore self-certify their adherence to the EU-US Data Privacy Framework Principles.
While the system for administering the framework has yet to be fully set up, organizations intending to make use of the framework may choose to begin preparing for the self-certification process, which involves collecting a wide range of information. The US International Trade Administration already launched a Data Privacy Framework website that is intended to include information on self-certification, participating organizations, enforcement and more.
Examples of information required for the certification process (and subsequent annual recertification processes) include:
- The name of the organization and any relevant US subsidiaries also covered.
- A description of the purposes for which the organization will process personal data.
- The personal data that will be covered by the certification.
- A copy of the privacy policies relevant to personal data, including a statement in such privacy policies that the organization adheres to the principles of the framework and a link to the framework’s website.
- Contact details of relevant persons within the organization.
- The name of any privacy programs of which the organization is a member.
- Relevant independent recourse methods in the event of a complaint.
In addition to the above, organizations must disclose the method of self-certification (self-assessment or outside compliance review). This will involve the organization verifying the accuracy of the attestations made in the (re)certification application:
- If the organization has self-assessed its compliance, it must demonstrate that its privacy policy is accurate, comprehensive, readily available, conforms to the framework and is implemented in its entirety.
- If the organization has chosen an outside compliance review, the organization must verify the aforementioned factors by way of, for example, audits or use of technological tools. In each case, an authorized representative of the organization must sign a statement verifying the assessment.
Organizations will only be placed on the Data Privacy Framework List once the DOC has determined that the self-certification submission is complete. Organizations that voluntarily withdraw from self-certification – or that fail to recertify annually or persistently fail to comply with the principles of the framework – will be removed from the Data Privacy Framework List.
A transfer impact assessment (TIA) for EU-US data transfers will technically not be needed for transfers covered by the EU-US Data Privacy Framework, as the EU-U.S. Data Privacy Framework adequacy decision replaces the adequacy assessment in the TIA. However, it should be noted that TIAs will still be necessary for transfers not covered by the EU-US Data Privacy Framework, whether for the US or other third countries.
Does the framework apply to UK companies?
The adequacy decision only affects EU member states, along with Iceland, Liechtenstein and Norway.
The UK is currently working to complete its adequacy assessment for a UK-US Data Privacy Framework. Until this process is complete, organizations should continue using the International Data Transfer Agreement to transfer personal data to the US. The International Data Transfer Agreement allows for personal data to be lawfully transferred from the UK to the US without relying on the SCCs issued by the European Commission.
Will the framework be challenged?
There is a strong possibility that the framework will be subject to a legal challenge through the courts. NOYB, the privacy advocacy organization founded by Max Schrems, indicated that it will appeal the framework, noting the ‘third attempt of the European Commission to get a stable agreement on EU-U.S. data transfers will likely be back at the Court of Justice in a matter of months’. The organization said the US did not address ‘fundamental’ surveillance issues.
European Commissioner for Justice Didier Reynders was quoted to respond to NOYB’s statement during his press conference announcing the EU-US Privacy Framework, saying the new system should be tested before announcing a legal challenge. ‘I’m sure that we have very robust arguments to show that we now have a very different system than what we have had with Safe Harbor and also with the Privacy Shield’, he said. ‘We are very confident to not only implement such an agreement, but to defend such an agreement in all the different procedures that we will have to face. Again, it’s just a proposal, but why not test the new system before going too far in criticism of such a system’, Reynders continued.
Nevertheless, as there is a strong possibility that the framework will be subject to a legal challenge through the courts, smart organizations will have a fallback clause in the form of SCCs in the event that the framework does not survive a legal challenge.