On July 10, 2023, the European Commission adopted its adequacy decision on the EU-US Data Privacy Framework (DPF). In a press statement, the European Commission clarified unambiguously that the adequacy decision concludes that the US ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from organizations located in the EU to US organizations certified under the DPF.
Why is this significant?
Chapter V of the EU General Data Protection Regulation (EU GDPR) restricts transfers of personal data outside the EU/UK unless:
- that transfer is to a territory deemed to provide an adequate level of protection for personal data;
- a derogation applies;
- an appropriate transfer mechanism is used. The most common transfer mechanism has historically been the EU’s standard contractual clauses (SCCs).
Transfers to the US have historically benefited from adequacy-like treatment under an EU–US privacy framework known as the Privacy Shield. Under the Privacy Shield, businesses could voluntarily commit to comply with the Privacy Shield’s principles which set out requirements governing participating organizations’ use and treatment of personal data received from the EU, as well as the access and recourse mechanisms that participants must provide to individuals in the EU.
The Privacy Shield included a redress mechanism through the establishment of an Ombudsperson to whom complaints about mistreatment of personal data could be directed.
Schrems II
In the Schrems II decision of July 2020, however, the Court of Justice of the European Union (CJEU) ruled that the Privacy Shield was incompatible with the GDPR, throwing EU–US data transfers into significant legal uncertainty.
The European Commission sought to address a number of the concerns identified in Schrems II in its revised SCCs. Despite this, however, data transfers to the US have nonetheless been placed under significant scrutiny, with big-tech in particular being the subject of a number of adverse rulings. It is also important to note that, by virtue of retained EU law, the CJEU’s Schrems II judgment also applies to UK–US transfers of personal data.
What is the DPF?
The DPF is an agreement between the EU and the US that provides EU data subjects whose personal data is transferred to participating DPF organizations in the US with several new rights (eg to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data). In addition, it offers different redress avenues in the event their personal data is mishandled, including free-of-charge independent dispute resolution mechanisms and an arbitration panel.
The purpose of the DPF is to revive and enhance the Privacy Shield by addressing the concerns raised by the CJEU in Schrems II and, more broadly, EU concerns around unfettered US surveillance activities. The aim of the DPF is to allow EU companies to transfer personal data to US companies certified under the DPF without needing to use SCCs or an alternative international data transfer mechanism.
The DPF will be administered by the US Department of Commerce (DoC), which will process applications for certification and monitor whether participating organizations continue to meet the certification requirements. Compliance with the DPF will be enforced by the US Federal Trade Commission (FTC).
The adequacy decision on the DPF of July 10, follows:
- The European Commission and US government announcement in March 2022 that they had reached an agreement in principle on the DPF.
- President Biden’s Executive Order which was introduced in October 2022 to meet the requirements of the DPF and form the basis for an adequacy decision for transfers made using the DPF.
- The establishment of a new Data Protection Review Court in the US and the release on July 3, 2023 of policies and procedures the US intelligence community will adhere to as part of the Executive Order.
US signals intelligence
The Executive Order introduced, amongst other things, new binding safeguards for US signals intelligence activities to ensure such activities are necessary and proportionate in the pursuit of defined national security objectives and ultimately ensure the privacy of EU personal data. This represented a significant milestone for transatlantic data transfers.
The Executive Order also introduced a new two-layer independent and binding redress mechanism established under US law, which comprises of:
Layer one: In which EU individuals, along with those from Iceland, Liechtenstein and Norway, may lodge a complaint with the Civil Liberties Protection Officer of the US intelligence community; and
Layer two: In which EU individuals, along with those from Iceland, Liechtenstein and Norway, have the right to appeal that decision to the newly created US Data Protection Review Court. The Data Protection Review Court has investigative powers in respect of complaints from EU individuals, including the power to obtain relevant information from intelligence agencies, and will be able to take binding remedial decisions such as ordering the deletion of personal data.
Who can rely on DPF?
Organizations must certify their adherence to the detailed set of privacy obligations set out under the DPF (DPF Principles). These are:
- to inform transparently about their data processing (Notice Principle);
- to offer individuals the opportunity to choose (opt out) whether personal information is disclosed to a third party or used for a purpose that is different from the purpose(s) for which it was originally collected (Choice Principle);
- to accept responsibility for onward transfers (Accountability for onward Transfer Principle);
- to ensure data security (Security principle);
- to process only relevant data (Data Integrity and Purpose Limitation Principle);
- to grant data subject rights (Access Principle); and
- to enable effective legal protection (Recourse, Enforcement and Liability Principle).
Organizations will be entitled to rely on the DPF to receive EU personal data from the date the DoC has determined that the organization’s certification submission is complete and has added that organization to the DPF list. Organizations certifying for the first time are not allowed to publicly refer to their adherence to the DPF Principles before the DoC has added the organization to the DPF list. Organizations are required to re-certify their adherence to the DPF Principles on an annual basis.
While decisions by organizations to enter the DPF are entirely voluntary, effective compliance is compulsory. Organizations that self-certify to the DoC and publicly declare their commitment to adhere to the DPF Principles must comply fully with the DPF Principles immediately upon self-certification. All organizations should ensure they can comply with and document proof of their compliance.
US organizations should familiarize themselves with the DPF Privacy Principles and determine whether they currently comply with them or if there are further steps they need to take internally so that they are in a position to self-certify adherence. The DPF Principles that organizations are required to certify adherence to are listed at Annex I of the adequacy decision and lawyers can assist your organisation in reviewing these principles and analysing what steps need to be taken so that your organisation is in a position to self-certify its compliance to them.
What does certification involve?
To certify under the DPF (or re-certify), organizations are required to publicly declare their commitment to comply with the DPF Principles, ensure their privacy policy is amended to conform with applicable rules (eg include statements relating to conformity with the DPF Principles, applicable recourse mechanisms, etc) and fully implement the DPF Principles within the organisation.
As part of their certification application, organizations will have to submit information to the DoC on the name of the relevant organization, a description of the purposes for which the organization will process personal data, the personal data that will be covered by the certification, the chosen verification method (in the majority of cases this will be self-certification), the relevant independent recourse mechanism and the statutory body that has jurisdiction to enforce compliance with the DPF Principles.
Dispute resolution
Organizations may choose independent recourse mechanisms in either the EU or in the US such as a private-sector alternative dispute resolution body. Recital 73 GDPR explains that this includes the possibility to voluntarily commit to cooperate with the EU Data Protection Authorities.
Note, to register for the DPF organizations must also be subject to the jurisdiction of the competent US authorities, the FTC, the Department of Trade (DoT), or another statutory body that will have the necessary investigatory and enforcement powers and effectively ensure compliance with the DPF Principles. (The Annex to the adequacy decision states that other US statutory bodies recognized by the EU may be included in this list in the future. In the absence of any such additions to the list, certain categories of companies such as banks and telecoms providers may not be eligible at present to enter the DPF as they are not regulated by the FTC or the DoT.)
Certification or recertification submissions must be made via the DoC’s DPF website by an individual within the organization who is authorized to make representations on behalf of the organixation and any of its covered entities regarding its adherence to the DPF Principles.
What if you already have certification?
For those organizations that have maintained their Privacy Shield certification, the US DoC has stated that it will work with these companies to facilitate their transition to the updated privacy principles under the DPF. It appears that all companies who maintained their Privacy Shield registration have been automatically transferred over to the DPF list.
Participating organizations that previously self-certified to the EU-US Privacy Shield Framework Principles will need to update their privacy policies (and any other notices and flow down agreements) to instead refer to the “EU-US Data Privacy Framework Principles” and ensure that they comply with the DPF Principles. Such organizations must include this reference as soon as possible, and in any event no later than October 10, 2023.
If available online, an organization’s privacy policy must include a hyperlink to the DoC’s Data Privacy Framework website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved DPF Principles-related complaints free of charge to the individual data subject. (See “What does certification involve?” above)
Please note that by updating the privacy policy by October 10 (as required if organizations wish to maintain their transition of their Privacy Shield registration to the DPF) organizations are essentially self-certifying compliance to all the DPF requirements. If organizations do not then adhere to all requirements of the DPF they are liable for enforceable action from the FTC. Therefore, they need to review all the requirements of the DPF before making that update to their privacy policy and to ensure they are able to comply with the relevant requirements.
Upon the organization’s next annual recertification date, they will need to recertify to the new DPF Principles and provide the exact same information which organizations certifying for the first time are required to provide.
Will the DPF be challenged?
Yes, particularly as both the EDPB and European Parliament heavily criticised the DPF. Despite the fact the European Commission has confirmed the DPF “introduces new binding safeguards to address all the concerns raised by the European Court of Justice” it is certain that the DPF will still however be challenged, as opponents to the DPF, such as Max Schrems’ NOYB, have already stated publicly prior to the adequacy decision announcement that they do not agree the new safeguards adequately address the concerns raised in Schrems II.
On July 10, 2023, NOYB also released a press release stating its intention to challenge the adequacy decision. In this regard, NOYB criticized the DPF as being largely similar to the Privacy Shield and said that there is little change in US law – in particular that the fundamental problem with s702 of FISA was not sufficiently dealt with or addressed. The ultimate question therefore is whether the DPF will get the approval of the CJEU, as opposed to just the European Commission’s sign off.
What this means for EU businesses
If a supplier is relying on the DPF:
Always verify a supplier’s DPF registration by checking the DPF participant list to confirm the organization is indeed certified to the DPF principles, and conduct appropriate due diligence on the supplier to ensure you are satisfied of its compliance with the DPF Principles.
Note, if suppliers who were previously Privacy Shield certified import EEA data relying on the DPF alone after October 10, without having complied with recertification requirements by that date, our view is that they will no longer technically be in compliance with EU transfer rules even if they have been auto-transferred to the DPF system.
This situation will result in transfer risk for both sides of the transfer: exporting companies will be liable to EU enforcement action and importing US companies will be exposed to the risk of being in breach of their contract obligations with exporters. It is therefore important such suppliers who were previously Privacy Shield certified consider the position and take action as described under section “What if you already have certification?” (above) before October 10, and EU businesses conduct appropriate due diligence to verify the supplier has done so.
If a supplier is DPF certified, contractual provisions should be put in place requiring the supplier to remain certified and continue to observe the DPF principles, and also to flow down the necessary requirements to sub-processors.
Given that: (a) the DPF is going to be challenged in the future; and (b) organizations can lose their DPF certification, we would strongly recommend that contracts include fallback provisions that automatically implement the use of SCCs in the event that the DPF is struck out by the CJEU or an organization loses its certification.
Transfers to DPF registered organizations do not require transfer risk assessments (TRAs) to be completed, although see our comments on next steps below on that.
If the supplier is not DPF certified:
Ensure an appropriate transfer mechanism (such as SCCs or Binding Corporate Rules (BCRs)) are in place to safeguard the transfer.
TRAs must still be carried out, but crucially, it has been made clear in the European Commission’s Q&A that the safeguards enacted under the Executive Order are applicable to organizations using alternative transfer mechanisms, such as SCCs and BCRs. The effect of this is that businesses conducting TRAs in respect of transfers to the US can update their TRAs to reflect the immediate impact of the Executive Order and DPF, in particular the establishment of the Data Protection Review Court.
Any open TRAs can be concluded on this basis and any previously completed TRAs should be updated to reflect these recent developments.
What this means for global businesses with US operations
If you are a global business with operations in the US and they are Privacy Shield certified, follow the advice referred to at section 1.4 above. If the US group companies are not already Privacy Shield certified, we recommend you review the requirements for the DPF and consider registration.
When all US group companies are registered with the DPF, you should then update any intra-group data transfer agreements to refer to the DPF as the basis for any transfer to the US of EU personal data. As mentioned above, it may also be prudent to include SCCs as a fall back in the event the DPF is struck down.
For global businesses, it is important to bear in mind that these recent developments only concern EU to US transfers and have no relevance to international transfers to other third countries.
If your organization currently relies on BCRs, we recommend it continues relying on those BCRs (NB: BCRs are a global solution to international transfers and cover transfers beyond just EU to US).
What this means for UK businesses
For UK to US transfers, the UK has not yet adopted an adequacy decision for the DPF. However, we do anticipate the UK will follow the same path as the EU in this regard, as the UK Government announced on June 8, 2023 that it had reached a commitment with the US to establish a “data bridge” to apply to UK-US personal data transfers. This may be agreed as early as this year.
Until such time, however, UK-US transfers should continue to rely on UK approved international transfer mechanisms (such as the International Data Transfer Agreement or UK Addendum to the SCCs).
BCRs offer a solution
For any global companies, we would strongly recommend BCRs as the global way forward. BCRs offer a solution that applies not just to data transfers to the US, but to all third countries along with other global privacy advantages and are a global kite mark for privacy compliance. Furthermore, BCRs have not been subject to the same legal scrutiny and challenges from advocacy groups such as NOYB and data protection authorities as the SCCs, the Privacy Shield and Safe Harbor have been subject to, and which the DPF will inevitably also be subject to before long.
What should you do next?
Identify your international data flows – complete a data mapping exercise in accordance with Article 30 GDPR with a particular focus on identifying international data flows outside the EU-US and ensure it is maintained.
EU-US data flows – remember the DPF only applies to EU-US data flows and so knowing where your data is going outside the EU-US is vital as the DPF will not cover that arrangement.
Suppliers – do not assume any organization certified with the DPF has the DPF Principles in place, has them maintained and is complying with them. Controllers will still need to do their due diligence and check whether any data being processed by suppliers (or their sub processors) is occurring outside the EU-US and therefore the DPF will not apply.
Proof of compliance – unlike Privacy Shield, organizations will need to ensure they can comply with and document proof of compliance. This will need to be in place by October 10, 2023 for those organizations transferring their Privacy Shield registration to the DPF and wishing that to be maintained going forward. These organizations transferring their Privacy Shield registration to the DPF will also need to update their privacy policies to state their adherence to the new DPF Principles by October 10, 2023.
DPF Cachet – it is possible, like the Privacy Shield, there will be a US cachet to being certified with the DPF with US customers and so it may be worthwhile to apply for certification as part of an organization’s global privacy compliance, but the DPF will never on its own be enough.
EU and UK Customers – it is highly likely that EU and UK customers will not accept the DPF as a viable solution to transferring their data to US vendors, particularly as the likelihood of the CJEU opining on the DPF negatively in the next 18-24 months is high.
Ensure your international transfer documentation is in order – it is seven months since expiry of the EU deadline for implementing the new SCCs, meaning all contracts (including those pre-existing the publication of the new SCCs) are overdue being updated. Additionally, new contracts effecting transfers from the UK should implement the equivalent UK documentation and the deadline for updating pre-existing UK contracts is March 21, 2024. Regulators will need no further investigation to find a breach if the incorrect international transfer documentation is in place.
BCRs – we would strongly recommend any organization to consider BCRs as the global way forward and to avoid being subject to this continual legal uncertainty on data transfers, to satisfy their customers concerns and be able to evidence global privacy compliance.
TRAs – although technically not required for data transfers to DPF registered entities, they will still be required for any other third country not deemed adequate as well as if an organisation does obtain DPF certification. Customers are still likely to want to see them in any event and so we recommend continuing to embed them in your vendor management lifecycle.
Nick Holland, partner, is an international data privacy lawyer with over 25 years’ experience, specialising in supporting multinationals on global privacy compliance programs.