On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). US companies that participate in the DPF will be deemed to provide “adequate protection” under Article 45 of the EU General Data Protection Regulation (“GDPR”) for personal data transfers received from the European Union (“EU”) and European Economic Area (“EEA”).
Why did the EC need to adopt the adequacy decision for the DPF?
As we have previously written, the EU Court of Justice (“ECJ”) created uncertainty regarding transatlantic personal data transfers in its July 2020 Schrems II ruling. In particular, Schrems II invalidated the EC’s decision of adequacy for the EU-U.S. Privacy Shield, the predecessor to DPF. The focus of the ECJ’s concerns in Schrems II related to US national security and government surveillance, and the rights of individual data subjects in the EU to challenge such practices. The scope of Schrems II was so broad that it not only invalided Privacy Shield, but it also cast doubt on cross-border personal data transfers via other means, such as thru EC standard contractual clauses and binding corporate rules.
How did the US government and the European Commission collaborate to strengthen protections for transatlantic personal data transfers?
In response to Schrems II, the US government and the European Commission worked collaboratively to develop the DPF as a successor to Privacy Shield, and a means to provide greater certainty for transatlantic personal data transfers. Among other activities, the US Administration adopted Executive Order 14086 (“EO”) to establish enhanced privacy protections for personal data in the context of government surveillance, and a new process for individuals to seek redress on these issues concerning personal data transfers from a “qualifying state” to the United States. The US government recently issued additional implementing procedures for the EO, and also declared the EU and EEA Member States as “qualifying states,” such that local EU and other EEA citizens will be able to seek redress via the Office of the Director of National Intelligence (“ODNI”) Civil Liberties Protection Officer (“CLPO”), and ultimately the U.S. Data Protection Review Court.
What is the impact of the DPF?
The DPF will serve as a core option for US companies to assure adequate protection for transatlantic personal data transfers. The DPF will help to strengthen the substantive privacy protections for personal data transfers from the EU/EEA, and assure greater legal certainty for EU/EEA companies transferring data to DPF participants in the US. More broadly, the substantive protections implemented to facilitate the adoption of the DPF, including the EO privacy protections and the procedural rights of redress, will be available for data subjects in the EU/EEA, regardless of whether the recipient US company participates in the DPF.
What should companies do?
US companies should evaluate the potential benefits of participation in the DPF for transatlantic transfers. Companies that have continued their participation in Privacy Shield should find it relatively easy to convert their Privacy Shield participation into DPF participation. Other US companies, if they find the DPF a suitable solution, should update their current privacy programs to address the substantive and procedural requirements of DPF, and file for certification with the US Department of Commerce (“US DOC”). More information on the US DOC procedure is expected soon. All companies engaging in transatlantic data transfers, regardless of their position with the DPF, should update their data transfer impact assessments (“DTIAs”) to take account of the enhanced substantive and procedural protections for personal data pursuant to the EO and other US developments.
Going forward, it is expected that the DPF will be subject to legal challenges similar to those that impacted the Privacy Shield. Although we have suggested for some time that the long-term solution should be a multilateral treaty arrangement that takes the issue outside the scope of GDPR, we know that DPF will provide a welcome relief in the short to medium-term for transatlantic commerce and data privacy protection.