The EU-US Data Privacy Framework (DPF) has officially arrived – the European Commission announced its adequacy decision on July 10, 2023, and it is in effect as of writing this article. This decision marks a significant development after the EU-US Privacy Shield was invalidated as a result of the, now infamous, Schrems II ruling by the Court of Justice of the European Union (CJEU) in July 2020. The DPF, resembling its predecessor, introduces a self-certification and verification program whereby organizations will be expected to justify that they meet the requirements.
The Schrems II ruling highlighted concerns about the unrestricted access of US public authorities to EU data [via FISA 702, EO 12.333, Cloud Act, etc] and the absence of effective mechanisms for EU data subjects to challenge surveillance practices. Responding to these concerns, the US implemented safeguards through an Executive Order in October 2022, accompanied by a Regulation establishing a new Data Protection Review Court (DPRC). It is, however, arguable whether the “Court” is a court in the strict sense of the term, and may instead be considered an expert committee. The European Commission’s decision came into effect on July 10, 2023, and the official DPF website became operational on July 17.
Impact on Personal Data Transfers under the DPF
The EU Commission’s decision allows personal data to be transferred from the EU to companies self-certifying under the DPF without the need for additional – “traditional” – Article 46 GDPR data transfer mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). This should, at least while the decision stands, encourage EU organizations to engage with US providers without extra safeguards or risk management as an adequate level of protection of transferred data is assumed.
Organizations transferring personal data to the US using SCCs or BCRs in line with Article 46 of the GDPR must continue performing transfer impact assessments (TIAs) in accordance with the Schrems II decision. We do have to consider the value of the TIAs with the risk-based approach being questioned by several DPAs and the EDPB. However, these impact assessments – if conducted – should reflect the content of the adequacy decision. Based on the positive assessment of the changes, data exporters can – in most cases – assume a positive outcome if the importing US organization is certified under the framework.
Implications for Privacy Shield Participants and DPF Enlistment
Organizations that were part of the old Privacy Shield can easily transition to the new DPF by updating their privacy policies within three months. The transition is automatic if the principles are upheld, which for many organizations should be guaranteed as though the Privacy Shield was invalidated many US organizations continued to enforce the principles. DPF participants must adhere to similar requirements as those under the Privacy Shield, with minor changes in areas like annual fees and self-certification details.
Enforcement and Complaint Mechanisms
Enforcement of the DPF remains under the Federal Trade Commission (FTC) and the Department of Commerce (DoC). The European Commission will monitor compliance through periodic checks, and joint reviews between the EU and US are provided for. The US introduced a two-tier mechanism for addressing complaints, involving the newly established DPRC for appeals. We will have to see how the enforcement mechanisms work out in practice to see if they provide effective relief.
What Lies Ahead
Appeals
The primary concern of all privacy practitioners is the fact that privacy groups, such as NOYB, have announced their plans to appeal the framework. NOYB has stated that the “third attempt of the European Commission to get a stable agreement on EU-US data transfers will likely be back at the Court of Justice (of the European Union) in a matter of months.” They claim that the new framework does not adequately address surveillance issues and that the US DPRC is shrouded in secrecy and may lack engagement with data subjects. The DPRC work with the data subject’s local data protection authority and a special appointed advocate, which means that the person complaining will not be able to take any concerns before a court themselves.
The United Kingdom & Switzerland
The decision opens the possibility for a UK extension to the framework, named the “UK Data Bridge”. This would enable the transfer of UK personal data to the US. The Swiss-US framework would also become operations, with certified members transitioning smoothly. However, data transfers can’t occur until Switzerland issues an adequacy decision.
Conclusion
In conclusion, it appears that the new framework is an incomplete solution that will likely cause more headaches for practitioners in the long term. US and EU companies do not need to make large changes in order to use the new framework, but it could lead to extra work later on when it is inevitably deemed invalid by European courts. Practitioners should be aware that any work they do to change current international transfer processes may change in the immediate future.
For that reason, please enjoy the liberty the Commission’s adequacy decision provides, but ensure that the pre-DPF situation [including SCCs/BCRs/etc] is retained and that it can be re-installed in the event the DPF falls. When doing so, please be aware that the risk-based approach is now questionable, which means that if no supplemental measures can be implemented to prevent third parties from intervening with the transfer, no transfer to the US will be possible when the DPF is deemed invalid by European courts.