On December 13, the European Commission (“EC”) announced a draft decision on the adequacy of the U.S data protection regime to protect the personal data of European Union (“EU”) residents, the EU-U.S. Data Privacy Framework (“DPF”). The DPF, which was initially announced in March 2022 as a political agreement between the EU and the U.S., and then bolstered by President Biden’s Executive Order (“EO”) in October 2022, opens the door for an EU-U.S. data transfer deal to replace the EU – U.S. Privacy Shield, which the Court of Justice of the European Union (“CJEU”) invalidated in its July 2020 Schrems II decision. The EC’s relatively swift movement toward the adoption of an adequacy decision for the DPF has largely been expected, given various factors, including the increasing closeness between the EU and the U.S. in the wake of geopolitical tensions in other regions, the need to help protect the $7.1 trillion U.S.-EU economic relationship, and the common goals of increasing data privacy protections in the transatlantic context.
What happens now?
The key next steps are in the EU. The European Data Protection Board (“EDPB”) and the European Parliament (“EP”) will have opportunities to provide an opinion on the draft DFP. The EC will also submit the DFP to a committee of Member State representatives for approval. In terms of overall timing, the EU’s Justice Commissioner, Didier Reynders, said publicly that he hoped the DPF would be finalized by July 2023, adding that: “analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic.”
What is different about the DPF from its predecessor?
The DPF, along with the EO and other developments, address the primary concern that led to the invalidation of the EU-U.S. Privacy Shield (“Privacy Shield”), namely, access to personal data by U.S. national security and criminal law enforcement agencies. Under the DPF and the EO, among other enhancements, access to the personal data of EU residents by U.S. intelligence agencies will be limited to what is necessary and proportionate to protect national security, and EU residents will have more mechanisms to obtain relief for violations, including review by the newly created Data Protection Review Court.
From a commercial privacy perspective, the mechanics of DPF appear to be similar to Privacy Shield. U.S. companies within the scope of enforcement authority of the U.S. Federal Trade Commission (“FTC”) and/or the US Department of Transportation (“DOT”) will be eligible to participate in the DPF. Participation will require compliance with the DFP privacy principles and successful completion of a certification process with the U.S. Department of Commerce (“DOC”).
From a substantive commercial perspective, DPF includes robust data privacy principles, including elements similar to the EU General Data Protection Regulation (“GDPR”), including: (i) purpose limitation and choice; (ii) special rules with respect to processing special categories of personal data; (iii) data accuracy, minimization, and security; (iv) transparency; (v) individual rights; (vi) restriction of onward transfers; and (vii) accountability.
Looking a bit more closely at the 134 pages of text associated with the draft adequacy finding for the DPF, some other details suggest commercial enforcement of the DPF will be robust. The FTC takes the time to identify the 68 enforcement cases that it had brought under Privacy Shield, and is clear that it will engage in vigorous enforcement of the DPF. The DOC specifies that it will engage in a strong review before accepting certifications, and will also actively monitor publicly available information for false claims of adherence to the DPF. The DPF also opens the way for EU data protection authorities (“DPAs”) to make direct complaints to the DOC about individual companies, and to facilitate collaboration among the DOC, the EC, and the DPAs to provide guidance on the meaning of the DPF’s provisions. In addition, the DPF also contains additional obligations on companies to ensure that data shared with third parties is still protected and provides EU citizens several avenues for redress if there is a violation that impacts their personal data, including allowing them to file a complaint before various dispute resolution boards at no charge, among others.
Why would companies wish to join the DPF?
U.S. companies that engage in substantial and/or increasing business with EU affiliates, business partners, and/or consumers may wish to consider participation in DPF, if adopted, as a means of facilitating transfers of personal data from the EU to the U.S. The advantages and disadvantages of this approach, as opposed to EC standard contractual clauses, binding corporate rules, or other vehicles/approaches, would need to be addressed by each company. An overarching factor may also be a concern that the DPF, like its predecessors, may be invalidated by the CJEU, although the substantial differences in geopolitical conditions at this stage, combined with the enhanced protections in the updated framework, suggest that the DPF has been thoughtfully designed to address the CJEU’s identified concerns.
What should companies do now?
As the consideration process for the DPF is still underway within the EU, there is no immediate action for companies at the moment. However, companies that are considering adherence to the DPF once it comes into effect should consider the published principles and how they will be able to comply. Companies can also begin to reflect the substantive benefits afforded by the EO when conducting Schrems II assessments regarding ongoing data transfers.