On 10th July 2023, the European Commission adopted its adequacy decision under Article 45 of GDPR for the EU-U.S. Data Privacy Framework (DPF). Thus, ends years of uncertainty and legal risk for European organisations wishing to transfer personal data to the US. In May, Meta Ireland (the owner of Facebook) was the subject of the largest ever GDPR fine of €1.2bn (£1bn) when Ireland’s Data Protection Commission ruled that its US data transfers were not GDPR compliant. The new adequacy decision concludes that the United States ensures an adequate level of protection, comparable to that of the European Union, for personal data transferred from the EU to US companies under the new framework. Personal data can now flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards under the GDPR.
The Journey to Adequacy
In July 2020, the European Court of Justice (ECJ) in “Schrems II”, ruled that organisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework as a legal transfer tool as it failed to protect the rights of EU data subjects when their data was accessed by U.S. public authorities. In particular, the ECJ found that US surveillance programs are not limited to what is strictly necessary and proportionate as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights. Secondly, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the USA, as required by Article 47 of the EU Charter. The ECJ stated that organisations transferring personal data to the USA can still use the Article 49 GDPR derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporter to make a complex assessment about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. Since the Schrems ruling, replacing the Privacy Shield has been a priority for EU and US officials. In March 2022, it was announced that a new Trans-Atlantic Data Privacy Framework had been agreed in principle. The US President signed an executive order in October, giving effect to the US commitments in the framework, and paving the way for the European Commission to publish a draft ‘adequacy decision’ on 14th December 2022.
The EU-U.S. Data Privacy Framework (DPF) introduces new binding safeguards to address all the concerns raised by the European Court of Justice in Schrems. This includes limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from the EU will have to subscribe to. EU individuals will also benefit from several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.
Just like the old Privacy Shield, US companies can self-certify their participation in the DPF by committing to comply with a detailed set of privacy obligations. These could include privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties. The DPF will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements. Compliance will be enforced by the US Federal Trade Commission. Many US companies remain self-certified to Privacy Shield standards. Consequently, it is no going to be a difficult task for them to transition to the DPF. As far as EU organisations go all they need to do now, before making a transfer of personal data to the US, is check that the organisation receiving their personal data is certified under the DPF. More information including the self-certification process is expected to be posted on the U.S. Department of Commerce’s new Data Privacy Framework website.
Impact on Other Data Transfer Tools
The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other transfer tools, such as standard contractual clauses and binding corporate rules. This means that, when conducting a transfer impact assessment, a data controller can refer to the DPF adequacy decision as a conclusive finding by the European Commission that the 2 big protections introduced in the USA by the related Executive Order are applicable to transfers under your SCCs and provide suitable restrictions on government surveillance plus suitable redress for EEA data subjects. This makes any needed transfer impact assessment for the USA very straightforward.
It is important to note that this adequacy decision only covers transfers of personal data from the EU to the US. The UK Government is also working on an adequacy finding for the US and this decision should expedite the process.
The new US – EU Data Privacy Framework will be discussed in detail on our forthcoming International Transfers workshop.