On July 10, 2023, the European Commission (‘EC’) adopted its long-awaited adequacy decision approving the EU-U.S. Data Privacy Framework (‘DPF’). By doing so, the EC is confirming that personal data transferred to the U.S. under the DPF is adequately protected in line with the EU GDPR’s international data transfer rules.
Transfers of personal data from the EU to the U.S. have generated much controversy over the past years. In 2020, the DPF’s predecessor (the EU-U.S. Privacy Shield) was invalidated by the Court of Justice of the European Union (‘CJEU’) following a complaint made by privacy activist Max Schrems and his non-profit organization NOYB – European Center for Digital Rights (see our blog post here for more details). The adequacy decision will therefore be welcome news for many companies with dealings across the EU and the U.S.
Companies established in the EU (or whose personal data processing activities are otherwise subject to the EU GDPR) will be able to transfer personal data to the U.S. on the basis of the DPF going forward.
For such transfers to take place, the data importer in the U.S. will need to adhere to the new DPF via a certification mechanism (further information on how to do so is expected to be published on the DPF website) and adjust its data processing practices to take into account the DPF’s principles. Those principles are similar – but not identical – to the principles that underpinned the now-defunct EU-U.S. Privacy Shield. Some of the key features of the DPF include requirements for data importers in the U.S. to:
- Pay an annual fee;
- Provide transparency information to individuals whose personal data is transferred to the U.S. This includes informing individuals about why and how their personal data is collected and processed by the data importer(the ‘notice principle’);
- Ensure individuals can access the personal data processed about them, and can correct, amend, or delete that personal data where it is inaccurate or processed in violation with the DPF’s principles (the ‘access principle’);
- Set up a readily-available independent recourse mechanism to investigate individuals’ complaints and disputes at no cost to the individuals (the ‘recourse principle’);
- Update privacy policies to refer to the new DPF (no later than 3 months from the effective date of the DPF principles); and
- Implement procedures for verifying their own compliance with the DPF (through a self-assessment or through outside compliance reviews).
Companies in the EU seeking to rely on the DPF for the “export” of personal data to the U.S. will also need to adjust their practices, including by checking on the DPF website that the data importer in the U.S. and the relevant transfer of personal data are covered by the DPF. They must also ensure that relevant compliance documentation (such as data processing agreements and privacy notices) is updated as needed to reflect the data exporter’s reliance on the DPF.
Companies with data flows to the U.S. can now explore whether the DPF is a suitable data transfer tool for them. However, they should also keep in mind that alternative international data transfer tools remain available – such as the EU Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”).
- The European Commission has confirmed that the safeguards put in place by the U.S. Government to support the DPF (including the associated redress mechanism for individuals in the EU) apply to all data transfers under the EU GDPR to companies in the U.S., regardless of the transfer tool used. These safeguards therefore also facilitate the use of SCCs and BCRs. Companies relying on SCCs and BCRs for transfers of personal data to the U.S. can now strengthen their Transfer Impact Assessments (“TIAs”) by taking into account such safeguards.
- For companies that transfer personal data to a variety of jurisdictions worldwide, SCCs and BCRs will remain in many cases more appropriate international transfer tools than the DPF. Since SCCs and BCRs can be used to transfer personal data to jurisdictions other than the U.S., companies may, for example, take the view that it is preferable to have a consistent approach to international data transfers across different jurisdictions.
Finally, companies should keep an eye out for updates in this space. Max Schrems, along with NOYB, have already indicated that they have prepared options for challenging the validity of the new DPF in front of the CJEU. A successful challenge could see the DPF struck down like the EU-U.S. Privacy Shield and the EU-U.S. Safe Harbor before it – and so in the meantime, many companies may take the view that SCCs and BCRs remain a “safer bet”.