On 10 July 2023, the European Commission (EC) adopted its adequacy decision for the EU-US Data Privacy Framework (the DPF). The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new DPF. Personal data can therefore flow freely from the EU to US companies participating in the DPF, without having to put in place additional data protection safeguards.
To get you up to speed with this significant regulatory development, Lydian’s Information Governance & Data Protection (Privacy) team has prepared the following summary.
Under Chapter V of the GDPR, transfers of personal data from the EU to controllers and processors located outside the European Economic Area (EEA) (so-called “third countries”) should not undermine the level of protection of the individuals concerned. Transferring personal data outside the EEA is therefore only possible when “an adequate level of protection” is ensured or when “appropriate safeguards” are put in place.
In case an adequate level of protection is ensured in a third country, the EC can grant an adequacy decision under Art. 45 of the GDPR. All data transfers covered by the scope of such adequacy decision are permitted without further legal safeguards being necessary. It will therefore not be required to rely upon another transfer mechanism, such as Standard Contractual Clauses (SCC), or Binding Corporate Rules (BCR), and it will not be necessary to conduct a Transfer Impact Assessment (TIA).
Transfers of personal data from the EEA to the US have been under severe pressure for quite some years. Previous game-changing decisions of the Court of Justice of the European Union (CJEU) have shown the vulnerabilities in EU-US collaborations in terms of personal data protection: (i) Schrems I, in which the Safe Harbour principles where declared invalid and the decision of the Irish DPC declaring the complaint of Schrems invalid annulled; and (ii) Schrems II, which stroke down the Safe Harbour’s successor, the Privacy Shield, and questioned the validity of Standard Contractual Clauses.
The area of debate can be summarised in a nutshell as a clash of two very different legal regimes related to people’s personal data: on the one hand, far-reaching US surveillance law and, on the other hand, European data protection legislation. Three years after the Schrems II-decision, the EC published the new DPF with the ambition to finally put an end to the discussion and to enable free flows of personal data from the EEA to the US.
It should be noted that the DPF does not apply to all transfers from the EU to recipients in the US, as is the case for other adequacy decisions such as the one relating to Japan. Free flows of personal data are only accepted by the EC insofar as it concerns transfers from controllers/processors in the EU to US organisations that are certified under the DPF.
In order to become certified, the US organisations must be subject to the jurisdiction of either the Federal Trade Commission (US FTC) or the US Department of Transportation (US DoT). Other organisations will therefore be excluded, such as banks, airlines and insurance companies, although their technology providers will be in scope.
In practice, US companies can self-certify their participation in the EU-US DPF by committing to comply with a detailed set of privacy principles (the EU-US Data Privacy DPF Principles and the Supplemental Principles issued by the US Department of Commerce (US DoC). Amongst others, this 25-page list contains privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security, the sharing of data with third parties and access requests by public authorities (see infra).
The DPF will be administered by the US DoC, which will process applications for certification and monitor whether participating organisations continue to meet the certification requirements. Once certified, the US entity can receive personal data from the EU based on the DPF, but organisations are required to re-certify their adherence on an annual basis. Compliance by US organisations with their obligations under the EU-US Data Privacy Framework will be enforced by the US FTC through ex-officio investigations and complaints.
The US DoC has already published that it will launch a new website for the DPF on 17 July 2023, where a list of certified organisations will be publicly available. Ahead of this launch, the US DoC will provide guidance to participants in the EU-US Privacy Shield to facilitate their transition to the DPF as a simplified procedure will be adopted. It is therefore only a matter of time before the US big tech companies will obtain certification, as was the case at the time of the Privacy Shield.
In order to become (re)certified as a US organisation, one must provide to the DoC a submission for self-certification containing the following information:
To certify under the EU-US DPF (or re-certify on an annual basis), organisations are required to publicly declare their commitment to comply with the principles, which are similar to the obligations imposed under GDPR.
Transparency towards data subjects is crucial, not only for the GDPR but also for the DPF. Individuals must be informed, using a clear and conspicuous language about the processing of personal data. Amongst others, individuals must be informed about the types of personal data collected and the purposes thereof, the participation of the organisation in the DPF and its commitment to the principles, the rights of the individuals and the requirement to disclose personal data in response to lawful requests by public authorities.
Individuals must be given the possibility to opt out for disclosure of personal data to third parties (controllers) and the re-use for different purposes. Insofar as sensitive information is concerned, the organisations will need affirmative express consent (opt in) for disclosure and re-use. In case the third party is acting as a processor (called “agent” under the DPF), this choice will not apply. Nonetheless, in such case the organisation will need to enter into a contract with the third party that is performing tasks on their behalf.
Organisations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the principles.
In case of third-party processors, the contract must include, amongst others, that data may only be transferred for limited and specified purposes and it must be ascertained that at least the same level of privacy protection as is required by the principles is adhered.
Reasonable and appropriate security measures must be taken by organisations creating, maintaining, using or disseminating personal information to protect it from loss, misuse and unauthorised access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
The personal information must be limited to what is relevant for the purposes of processing, meaning that all other processing that is incompatible with the purposes for which it has been collected or subsequently authorised by the individual is forbidden. To the extent necessary for those purposes, an organisation must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. As long as it serves the purposes of processing, the information can be retained in a form identifying or making identifiable the individual. Processing personal information for longer periods of time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis is subject to other conditions.
Individuals have the right to access to, deletion and rectification of personal information that an organisation holds about them, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. Organisations shall respond to access requests within “a reasonable time period”.
In order to ensure effective privacy protection, robust mechanisms for ensuring compliance with the principles, recourse for individuals who are affected by non-compliance with the principles, and consequences for the organisation when the principles are not followed, must be provided. In this regard, organisations shall have specific obligations as to the response to inquiries or requests by the US DoC.
In addition to the principles listed above, the DPF includes a list of supplemental principles, the substance of which has been significantly altered in comparison to the previous Privacy Shield. Such supplemental principles include, inter alia, extra safeguards as regards to sensitive data and human resources data.
To address all concerns that were raised in the Schrems II decision, according to the EC, significant improvements were made to the previous Privacy Shield. The aim of the EC was to provide a durable and reliable basis for transatlantic data flows. To achieve this purpose, the concerns raised in the Schrems II decisions are reflected in the safeguards included in Executive Order 14086, regarding both the substantive limitation on US national security authorities' access to data (necessity and proportionality) and the establishment of new redress mechanisms for data subjects.
An important reason for striking down the Privacy Shield in the Schrems II decision was the fact that the far-reaching US surveillance laws were not limited by any principles of proportionality and do not indicate any limitations on the power they confer to implement the surveillance programs, nor the existence of guarantees for potentially targeted non-US persons.
This concern of unlimited access by US intelligence agencies was addressed by Executive Order 14086, which establishes binding safeguards that limit access to data to what is necessary and proportionate to protect national security. Moreover, there will be measures taken to prevent any further use of the information collected, amongst others by imposing appropriate data security to prevent access by unauthorised persons and standard for accuracy and objectivity, as well as applying retention and documentation obligations. In order to ensure compliance, the activities of US intelligence agencies will be subject to enhanced oversight by various bodies.
Finally, European data subjects are given the possibility to bring legal action before an independent and impartial tribunal with binding powers. The DPF grants individuals access to their personal data, to have the lawfulness of government access to their data reviewed and, if a violation is found, to have such violation remedied, including through the rectification or erasure of their personal data. Any individual in the EU is entitled to submit a complaint to his/her local Data Protection Authority to the redress mechanism concerning an alleged violation of US law governing signals intelligence activities (that adversely affects their privacy and civil liberties interests). The investigation is initiated by the Civil Liberties Protection Officer of the Director of National Intelligence, which will determine whether a violation of applicable US law has occurred and, if that is the case, decide on an appropriate remediation. Such decisions are binding on the US intelligence agencies concerned. Thereafter, the complainant may seek review before the Data Protection Review Court (DPRC), an independent administrative tribunal.
The importance of this issue cannot be underestimated, as the DPF changes the data protection landscape significantly. Personal data can flow freely from the EU to US certified organisations, without having to carry out a Data Transfer Impact Assessment (DTIA) or implement supplemental measures. European data exporters must therefore consider the appropriateness of new transfer mechanism for their data flows to the United States. To the extent data exporters decide to rely on the DPF, changes to the organisation’s policies and procedures will be required, including updating the privacy notice to EU data subjects.
On the other hand, the DPF also impacts other data transfer mechanisms that are nowadays used by many organisations, such as SCCs or BCRs, as the DPF’s safeguards can be used in DTIAs to justify data flows to the U.S under these transfer mechanisms. The process of a DTIA for the US can therefore be significantly simplified.
The EC adopted its adequacy decision on the DPF on 10 July 2023 and it came into force a day later. However, the acknowledgement of the adequate level of protection that is given to organisations under the DPF, is not fixed and perpetual. As is the case for every adequacy decision, the EC will keep an eye on the legislative developments in the third country and will review the adequacy decision on a regular basis.
In case the EC has concerns that an adequate level of protection is no longer ensured, it will inform the competent US authorities, and, if necessary, may decide to suspend, amend or repeal the adequacy decision or limit its scope. The first review will take place within one year after the entry into force of the adequacy decision, meaning July 2024, to verify whether all relevant elements of the US legal DPF (Executive Order 14086) have been fully implemented and are functioning effectively in practice. After this first review, the EC will decide, in consultation with the EU Member States and Data Protection Authorities, on the periodicity of future reviews, which will take place at least every four (4) years.
Although the EC is very confident about the solution for EU-US data transfers that has now been developed, as expected, it is not being welcomed by everyone. noyb has already stated that it will challenge the DPF as it is “largely a copy of the “Privacy Shield” and did not address the fundamental problem with FISA 702.
The question therefore arises as to whether new proceedings before the CJEU (“Schrems III”) will overturn the new DPF and put us back in the previous situation where additional measures (conducting a DTIA and implementing supplementary measures) must be taken. In any case, it is likely that such proceedings will take a number of years. As a result, EU data exporters can rely upon this new transfer mechanism for transfers to the US, keeping in mind that there could potentially be an expiration date to these practices.
As this development has a significant impact on organisations worldwide, Lydian's Information Governance & Data Protection (Privacy) is keeping a close eye on further developments.
Information Communication Technology
Information Governance & Data Protection
Telecommunications, Media & Technology
Commercial law
Dispute Resolution
Intellectual Property (IP)
bastiaan.bruyndonckx@lydian.be
Commercial law
Dispute Resolution
Information Communication Technology
Information Governance & Data Protection
Intellectual Property (IP)
Telecommunications, Media & Technology
liese.kuyken@lydian.be
