On July 10, 2023, the European Commission adopted its decision granting adequacy status for the EU-US Data Privacy Framework (“the Framework”) – the new mechanism aimed at enabling compliance with EU data protection requirements when transferring personal data from the European Union to the United States. As a result of the decision, EU organisations may transfer personal data to US-based organisations participating in the Framework, without the need for any further appropriate safeguards.
Colleagues from our Data, Privacy and Cyber team answer the six most common questions that organisations on both side of the Atlantic may have following the Commission’s adequacy decision.
Under the General Data Protection Regulation (GDPR) and the UK GDPR, transfers of personal data to a third country are only permitted if adequate data protection can be maintained. This can be achieved in a number of ways including by the implementation of a suitable safeguard (often referred to as a "transfer mechanism"). Alternatively, the Commission (or, in the case of the UK GDPR, Secretary of State) may carry out an assessment and conclude that a third country, territory or one or more specified sectors within a third country ensures an adequate level of protection.
The Commission’s adequacy decision is not a blanket recognition that the entire US data protection regime provides adequate safeguards. Instead, it provides that the United States ensures an adequate level of protection for EU-US data transfers, only where the US recipient has joined (i.e. committed to its obligations under) the Framework.
What’s new in the Framework compared to previous mechanisms?
The Framework is the third attempt at a data transfer mechanism for transatlantic data flows after the Safe Harbor and Privacy Shield were invalidated by the Court of Justice of the European Union, in 2015 and 2020 respectively, in the infamous Schrems cases.
The Framework brings in new binding safeguards to address concerns raised by the CJEU in Schrems II. These measures, most of which stem from President Biden’s Executive Order (EO) 14086 made in October 2022, include limiting US intelligence services' access to EU data to what is necessary and proportionate for national security protection. It also establishes a two-tier redress system to handle complaints from European citizens regarding data access by US Intelligence authorities, including a Data Protection Review Court (DPRC). The DPRC will independently investigate and resolve complaints, with the power to enforce binding remedial measures. Additionally, the Framework imposes obligations on companies processing data from the EU, requiring them to self-certify adherence to set standards through the US Department of Commerce.
The EU-US Framework aims to significantly improve upon the previous Privacy Shield mechanism. Notably, the DPRC may order the deletion of data if it determines that it was collected in violation of the new safeguards. These enhanced safeguards in government data access complement the obligations that US companies importing data from the EU will have to follow.
How can US companies comply?
The US Department of Commerce will oversee the implementation of the Framework, handling certification applications and monitoring participating companies' continued adherence to certification requirements. Enforcement powers over the Framework rest with the Federal Trade Commission (FTC).
To participate, companies must self-certify and publicly commit, e.g. via their privacy notices, to comply with the 16 Framework Principles, which are enforceable under US law. Self-certification can be made online, at www.dataprivacyframework.gov. Existing members of the former Privacy Shield mechanism may begin relying immediately on the Framework and will have until 10 October 2023 to re-commit to the Framework Principles without having to self-certify. Self-certification will be required on an annual basis.
How can EU companies comply?
Before making a data transfer to the US on the basis of the Framework, EU exporters will need to satisfy themselves that the US importer has committed to the Framework Principles.
What about UK to US transfers?
The Framework does not apply to data transfers from the UK to the US. However, two days before the Commission’s decision was announced, the UK Government announced that the UK and US have reached a commitment to establish a "Data Bridge". This will be a “UK extension” to the Framework and is expected to come into force later this year.
Can any company join the Framework?
No. As with the former Privacy Shield (and Safe Harbor before it), only organisations which are subject to the jurisdiction of the US Federal Trade Commission or Department of Transportation are eligible to join the Framework. Notably, this excludes those in financial services.
What is the impact of the Framework to transfers based on SCCs and BCRs?
Certain EU organisations would elect to not use the Framework as a justification for their US data transfers – e.g. where the data recipient is unable or unwilling to join the Framework. In these instances, alternative transfer mechanisms must be considered, such as the SCCs and BCRs. Following Schrems II, exporting organisations must undertake a case-by-case assessment of the transfer to assess whether an “essentially equivalent” level of protection for the personal data is provided in the destination jurisdiction, and where necessary implement supplementary measures to ensure such protection. As many companies in the EU and UK would have experienced, this process involves carrying out a Transfer Impact Assessment (TIA). If not already, any existing TIAs should be revised to take into account the adequacy and the legal safeguards introduced by President Biden’s executive order (which apply universally, not only to companies taking part in the Framework).
For more practical information on conducting TIAs, please see our practical guidance or get in touch with a member of our team.