On July 10, 2023, the European Commission (“Commission") adopted an adequacy decision for the EU-US Data Privacy Framework (“DPF”). The DPF is the successor to the EU-US Privacy Shield, which the Court of Justice of the European Union ("CJEU") declared invalid in 2020.
This adequacy decision reflects agreement by the Commission that the DPF offers an adequate level of protection for personal data transferred from the European Union to the United States under Article 45(1) of the General Data Protection Regulation. Moreover, the DPF entered into force upon adoption of the adequacy decision yesterday. This means that US businesses certified under the DPF no longer require separate data transfer mechanisms in order to transfer personal data from the European Union to the United States.
US Commitments and Reforms
The adequacy decision follows a series of developments in the United States aimed at addressing the CJEU’s concerns about the prior framework, the EU-US Privacy Shield, especially in connection with US surveillance activities. The US Department of Justice (“DOJ”) and other executive agencies have recently published announcements about the DPF and the completion of various changes related to data collection by US intelligence agencies for criminal law enforcement and national security purposes. These commitments were described in President Joe Biden’s October 7, 2022 Executive Order 14086. (For more information, please see our Legal Update of October 2022.)
Per the DOJ, the adequacy decision for the DPF brings into effect the redress mechanism established in Executive Order 14086. This means that EU individuals may submit complaints to obtain redress for alleged legal violations in relation to US intelligence activities affecting their personal data transferred to the United States. The US Secretary of Commerce announced that EU/EEA member states are “qualifying states” for which the redress mechanisms will be made available. The US Office of the Director of National Intelligence (“ODNI”) also released policies and procedures for the intelligence community to implement the data privacy safeguards specified in Executive Order 14086, including tailored procedures for the Central Intelligence Agency ("CIA”), Federal Bureau of Investigation (“FBI”), National Security Agency (“NSA”), and Department of Homeland Security (“DHS”), among others in the intelligence community.
EU Adequacy Decision
The Commission considered that the new binding safeguards introduced by the DPF address the CJEU’s concerns in its 2020 Schrems II decision. Such safeguards include the limitation of access to EU data by US intelligence services to what is necessary and proportionate, as well as the establishment of a specific redress mechanism and a Data Protection Review Court to handle and resolve complaints from individuals concerning US intelligence activities. Based on these and other developments, the Commission concluded that the DPF ensures an adequate level of protection for transfers of EU personal data to the United States and issued an adequacy decision. While the adequacy decision is final and in effect, it could be subject to an invalidation procedure before the CJEU.
Implications for Clients
The DPF is based on a system of certification under which US organizations commit to a set of privacy principles. With the DPF covered by an adequacy decision, data transfers from the European Union or the European Economic Area by US businesses that are certified under the DPF no longer require separate data transfer mechanisms to provide additional safeguards, such as Standard Contractual Clauses or Binding Corporate Rules. Transfers from the European Union to the United States under the DPF will not require a Transfer Impact Assessment to be performed, but transfers under Standard Contractual Clauses will continue to need this assessment.
On the US side, the DPF is administered by the US Department of Commerce and enforced by the US Federal Trade Commission (“FTC”). The US International Trade Administration and US Department of Commerce launched a website to facilitate the DPF. The website provides information on participating organizations, how to self-certify, and other related resources. Participating organizations must re-certify their adherence to the DPF on an annual basis and will be subject to the jurisdiction of US authorities, including the FTC.