(or, the revised, revised framework for EU-US data transfers)
On July 10, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (“EU-US DPF”). In short, the decision concluded that, in relation to personal data transferred from the EU to US companies, the United States framework provides adequate safeguards. Of course, a US company would need to participate in this framework to benefit from this opinion.
An adequacy decision is part of Europe’s General Data Protection Regulation (“GDPR”). These decisions ensure that personal data flowing from the European Economic Area to third countries does so in compliance with EU privacy expectations, thus providing EU citizens with protections similar to the GDPR’s when their data is being transferred across borders.
So, why Groundhog Day? Because we’ve been here before. The approval of the EU-US DPF follows the invalidation of two previous frameworks, the most recent being the EU-US Privacy Shield Framework invalidated in July 2020 by the EU Court of Justice in a decision known as Schrems II. Based on concerns about US surveillance practices, the Court determined in Schrems II that the safeguards provided by the Privacy Shield Framework were inadequate. The result was three years of negotiations and the US issuance of Executive Order “Enhancing Safeguards for United States Signals Intelligence Activities” in an attempt to address the points raised in the decision.
The EU-US DPF was introduced as a negotiated successor to the invalidated EU-US Privacy Shield Framework. This new framework includes safeguards and restrictions concerning the access of data by US intelligence agencies. These measures include permitting access to US intelligence agencies only to “the extent of what is necessary and proportionate,” as well as establishing an additional redress avenue in the case of mishandled data.
In the absence of an adequacy decision, EU companies often employed Standard Contract Clauses (SCCs), in conjunction with Transfer Impact Assessments, as a legal mechanism to transfer personal data to the US. Now that the EU-US DPF has been approved, companies have the choice between (1) continuing to utilize SCCs or (2) certifying to the EU-US DPF.
Briefly, a company wishing to certify must:
- Be subject to the investigatory and enforcement powers of either the Federal Trade Commission or the U.S. Department of Transportation;
- Submit information to the Department of Commerce (DOC) and self-certify through the newly created DPF website;
- Publicly declare commitment to compliance with the EU-US DPF’s principles*;
- Fully implement the Framework’s principles;
- Make its privacy policies publicly available; and
- Re-certify on an annual basis.
If already certified to Privacy Shield, companies will need to update their privacy policies to refer to the “EU-U.S. Data Privacy Framework Principles” as soon as possible, but no later than three months from July 11, 2023.
*Additionally, a company certifying for the first time is prohibiting from publicly referring to their adherence to the EU-US Data Privacy Framework principles before the DOC has added the company to the DPF List.
The EU-US Data Privacy Framework Principles are:
- Notice: outlining what information organizations will need to provide to individuals including the purpose for collection and usage of personal data;
- Choice: stipulating that organizations must give individuals the opportunity to opt out of certain uses of their personal data;
- Accountability for Onward Transfer: specifying additional requirements for organizations that participate in onward transfers, i.e., transferring personal data to a third party;
- Security: requiring organizations to consider the risks associated with the nature of the personal data they are collecting and take reasonable steps towards its protection;
- Data Integrity and Purpose Limitation: necessitating the data collected must be used for the purposes for which it was collected and the data itself must be accurate and reliable for its intended use;
- Access: ensuring individuals have access to the personal data that an organization has about them and have the ability to amend or delete information that is not accurate or that is conflicting with EU-US Data Privacy Framework Principles; and
- Recourse, Enforcement and Liability: include effective privacy protection mechanisms for ensuring compliance and some form of recourse in the event of noncompliance (i.e., independent recourse mechanisms for individuals, follow-up procedures to verify compliance, and required remedies in the event of a violation).
Upon certification, the EU-US Data Privacy Framework Principles go in effect immediately.
If a company so choses to self-certify to the DPF, it will be permitted to transfer data from the EU without using SCCs or Transfer Impact Assessments. However, even companies who chose to not certify to the EU-US DPF are likely to benefit as they can reference the adequacy decision in future Transfer Impact Assessments.
In summary, the approval of the EU-US DPF points to a more efficient process for transferring data from the EU to certified organizations in the US. It is important for companies to now decide whether self-certification is right for them. We can help you in that decision making process! Contact us today.