The new adequacy decision for EU-US data transfers – lucky number three or third strike?
On 10 July 2023, after almost three years since the last framework for transatlantic data flows was overturned by the Court of Justice of the European Union (CJEU), the EU Commission adopted a new adequacy decision for EU-US data transfers. The new framework, the EU-US Data Privacy Framework (EU-US DPF), enables transfers of personal data from the EU to certified US-based companies without additional safeguards.
- On 10 July 2023, the EU Commission issued a new adequacy decision enabling EU-US data transfers, the EU-US DPF. The adequacy decision entered into force on the same day enabling data transfers between EU entities and certified US entities (public list of certified entities available here).
- Similar to its predecessor Privacy Shield, which was overturned by the CJEU in 2020, the EU-US DPF enables data flows between any EU-based private or public entity and US-based companies that are participating in the framework.
- US companies that wish to participate in the framework need to certify (and annually re-certify) themselves by publicly committing to comply with a set of privacy principles. The privacy principles reflect the rights and obligations laid down in the GDPR. The privacy principles under the EU-US DPF are substantially the same as in the Privacy Shield.
- The US Department of Commerce (DOC) will keep a public list of the certified companies and, once a company is listed, it can receive data from the EU-based entities. The DOC also oversees compliance with the certification requirements by the participating companies, and a non-complying company can be removed from the list.
- When relying on the EU-US DPF as a transfer mechanism, the EU-based data exporter is not required to perform a transfer impact assessment or to implement additional safeguards or measures.
- If a US-based company is not participating in the framework, other transfer mechanisms under the GDPR, such as standard contractual clauses or binding corporate rules, must be implemented when transferring data to such company from the EU. Also, an EU-based data exporter relying on these alternative tools would still need to perform a transfer impact assessment. However, the safeguards that were put in place by the US government apply to EU-US data transfers irrespective of the transfer tool used. Therefore, the transfer impact assessment and its result should reflect the adequacy decision in this respect.
The GDPR requires that personal data can only be transferred to third countries (i.e., countries outside the EEA) if the level of data protection granted by the GDPR can be ensured. This can be achieved by an adequacy decision issued by the European Commission to the effect that such level of protection is ensured in a specific third country.
In such case, no further safeguards, requirements, or authorizations are needed. Alternatively, other transfer mechanisms, such as standard contractual clauses (SSCs) or binding corporate rules (BCRs), can be implemented to ensure the adequate level of data protection when transferring data outside the EEA.
The new EU-US DPF transfer tool is the culmination of the 2015 and 2020 rulings of the CJEU (in the cases known as Schrems I (C-362/14) and Schrems II (C-311/18)) invalidating the former adequacy decisions relating to EU-US data transfers, namely the Safe Harbor and Privacy Shield frameworks.
In essence, the frameworks were invalidated by the CJEU because the arrangements did not effectively provide a sufficient level of data protection for European data subjects as required by the European data protection laws and the European Charter of Fundamental Rights. Particular shortcomings concerned the lack of means for seeking redress and legal recourse against violations and inadequate protection against US government agencies’ access to data.
Following the aftermath of the Schrems II judgment and in the absence of a valid adequacy transfer tool, the US and EU agreed in principle on a new trans-Atlantic data transfer framework in March 2022. Negotiations between the US President’s administration and the European Commission resulted in the US Executive Order 14086 “Enhancing safeguards for United States Signals Intelligence Activities” which addressed concerns raised by the CJEU in the invalidation of the previous frameworks.
On 3 July, the fulfillment of US commitments for implementing the framework was announced. On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US DPF and it entered into force on the same day.
Introduction to EU-US DPF – what does it entail?
As a result of the adequacy decision, self-certified private organizations subject to a set of data protection principles under the EU-US DPF are permitted to receive personal data from the EEA with no additional transfer safeguards. Equally, European entities exporting data are permitted to rely on the EU-US DPF when transferring data to such certified US-based entities.
Data subjects, on the other hand, can submit their requests and claims directly to the US-based entities, which, as a result of certification, now have an effective obligation to adhere to data protection rights and principles recognized in the EU-US DPF.
The self-certification of US-based organizations is done publicly and on an annual basis to demonstrate the organization’s commitment to obligations laid down in the framework. A list of self-certified entities is administered by the DOC, which processes applications for certification and oversees certified companies’ compliance with the EU-US DPF.
Information on organizations that are part of the EU-US DPF and organizations that have been removed due to non-compliance will be made available to the public. The DOC’s website for the Data Privacy Framework, including the public list of certified companies, was launched on 17 July, and can be found here.
US entities wishing to self-certify are required to comply with various obligations, aimed at ensuring EEA data subjects’ data protection rights, which are based on those under the invalidated Privacy Shield framework. The EU-US DPF includes a number of obligations, including a commitment to implement data subject rights reminiscent of those under the GDPR, establish an independent dispute resolution body for data subject complaints, make available information on data processing activities, give reasons for the processing and transfers to third parties, comply with certain documentation and employment-related processing requirements, and provide individuals with a choice to opt out from direct marketing and data transfers for further processing purposes.
In general, the purpose of the EU-US DPF is to ensure that European data subjects can enjoy the same level of protection and rights with certified US entities, while also providing for an effective recourse mechanism for rights or cases of infringement.
As a response to concerns raised by the CJEU in the Schrems II judgment regarding access to European data subjects’ data by US intelligence agencies, organizations may be required to disclose personal data to US authorities only upon requests based on proportional and necessary purposes for national security or law enforcement interests.
Furthermore, the EU-US DPF requires that data subjects be informed of such requirements, and that certain information security standards apply to both the transferor and transferee. It follows that access to personal data by US intelligence authorities is limited by principles of necessity and proportionality. A new redress mechanism with increased oversight, the Data Protection Review Court, has been established. It should be noted that the protection reform on US intelligence authorities’ access to personal data of EEA citizens also covers other transfer mechanisms, such as the SCCs and BCRs.
What does this mean for European entities transferring data to the US?
First and foremost, from the perspective of European entities, the EU-US DPF brings some much-needed certainty to transatlantic data flows. The Schrems II judgment left European entities puzzled as to the circumstances in which (if any) personal data is permitted to be transferred to the US and how to comply with the new requirements, such as the performance of a transfer impact assessment, laid down in the judgment.
Now, the EU-US PDF again enables data flows between EU entities and certified US companies without additional safeguards or measures having to be taken by the European entity exporting data.
However, it should be remembered that the EU-US DPF is just one of the tools available to transmit data internationally, the SCCs and BCRs being alternatives. Where SCCs and BCRs are relied on, a transfer impact assessment is still needed. That being said, the EU-US DPF has a positive impact on the use of other transfer tools too. The safeguards that were put in place by the US government as a result of the EU-US DPF apply to EU-US data transfers irrespective of the transfer tool used and, thus, lower the risk of EU-US data transfers as a whole.
In addition, even though it is still necessary to conduct a transfer impact assessment when relying on other transfer tools, the assessment and its results should reflect the adequacy decision and the changes implemented by the US government with respect to accessing European data subjects’ data. However, it might be necessary to update existing transfer impact assessments to reflect the safeguards put in place in the US.
While the principles contained in the EU-US DPF correlate to the primary obligations laid down in the GPDR, the framework should not be understood as removing the need for comprehensive, accurate and exhaustive data protection agreements when transferring personal data to the US. As with the previous transfer frameworks, the liability of the transferring party does not end with the transfer of data to the US; rather, the framework makes it easier to ensure and demand compliance in the US.
A future evaluation of the EU-US DPF will be undertaken by the European Commission together with European Data Protection Authorities and competent US authorities. The first review is scheduled to take place in July 2024. Routine evaluations of the adequacy decision will be carried out regularly, and the European Commission will continually monitor whether the US legal framework is functioning to the agreed standard. Should the European Commission consider that the level of data protection afforded by the adequacy decision is no longer sufficient, the decision may be suspended, amended or repealed.
Also, it cannot be ruled out that, like its predecessors, a challenge might be brought in the CJEU against the EU-US DPF in terms of its compliance with EU laws. European privacy activist organization NOYB, which is led by Mr. Schrems, who was behind the overturning of the two previous adequacy decisions concerning EU-US data transfers, has already publicly stated that it will challenge the adequacy decision.
Like its predecessors, the EU-US DPF has faced, and is expected to face, criticism and challenges. As with other international data transfer mechanisms, it is important to determine the choice of transfer tool based on the business activity.
It is advisable for organizations that administer personal data and currently rely on SCCs and/or BCRs to consider the impacts of the adequacy decision on data transferred to the US and on its current transfer tools. It should also be noted that the use of the EU-US DPF necessitates updates to documentation from data controllers and processors in Europe.