On 10 July 2023, the long-awaited adequacy decision for the EU-US Data Privacy Framework (“DPF”) was published by the EU Commission. This enables personal data to flow freely from the EU based jurisdictions to companies in the US that participates in the DPF, without organisations having to put in place additional legal safeguards such as the Standard Contractual Clauses (“SCCs”) in respect of that data transfer. The decision was immediately effective (as of 10 July 2023) and the official DPF website will be operational from 17 July.
What does this mean?
According to the EU Commission’s assessment, the US ensures an adequate level of protection for personal data transferred from the EU to US companies under the framework. Once an organisation obtains approval from the US Department of Commerce (“DoC”) that it is compliant with the DPF principles (which represent a slight variation to the revoked Privacy Shield principles), that organisation can freely receive personal data from the EU.
The DPF provides for a new set of rules and safeguard measures to limit access to the data by US intelligence agencies to what is necessary and proportionate to protect national security.
Key Points
1. Self-certification – organisations that wish to be certified must submit information about their data processing activities to the DoC, self-verify and publicly commit their compliance with the DPF Principles.
2. Transfer Risks Assessments – organisations transferring personal data to US-based data importers who participate in the DPF will not need to carry out transfer risk assessments, because the DPF benefits from an EU adequacy decision.
3. Privacy Shield participation – organisations that have been self-certified under the Privacy Shield can convert their certification into DPF certification. They will need to update references in their privacy policies to the “EU-US Data Privacy Framework Principles” within three months.
4. Complaints handling – there is an adoption of a two-tier redress system to investigate and resolve complaints of European citizens on access to data by US intelligence authorities. An individual can submit a complaint directly to either (a) the company that certified to the DoC, which must have a complaint process readily available and free of charge; or (b) EU Data Protection Authorities, which will cooperate with the DoC and the Federal Trade Commission. If necessary, individuals can also appeal a complaint to the newly established Data Protection Review Court, which is an independent entity comprised of individuals who are not a part of the US Government.
5. Periodic reviews – periodic factual and legal reviews of the effectiveness of the DPF will be undertaken by the European Commission, together with representatives of EU data protection authorities and the US authorities. This will involve continuous monitoring of the overall functioning of the DPF, as well as compliance by US authorities with their representations and commitments.
6. Fallback option – the SCCs should continue to be used as a fallback option – especially if the organisation cease to be certified to the DPF, or if the DPF were to follow the Privacy Shield and be struck down (see below).
7. Schrems III? – as mentioned in our previous articles, the two prior EU-US data transfer frameworks (Safe Harbour and Privacy Shield) were successfully challenged by Max Schrems in the Court of Justice for the EU and subsequently ruled incompliant with EU data protection law. As anticipated, NOYB and Max Schrems have already published an article announcing an intention to file a challenge to the DPF as it has, in the eyes of NOYB, again failed to address fundamental surveillance issues undertaken by the US state.
What does this mean for the UK?
Whilst the UK is no longer a member of the EU, this adequacy decision should pave the way for the establishment of the ‘UK extension to the Data Privacy Framework’ which would facilitate flows of personal data between the UK and the US, otherwise known as the ‘Data Bridge’ under UK law. On 11 July 2023, the DoC issued a statement that eligible organisations in the US that wish to self-certify their compliance pursuant to the UK Extension may do so; however, they may not begin relying on the UK Extension to receive personal data transfers from the UK before the date that the UK’s anticipated adequacy regulations implementing the data bridge for the UK Extension enter into force.
This has been a ground-breaking decision and one hope this is a step in the right direction as an opportunity for businesses to leverage secure data transfers across the Atlantic. Hopefully, once implemented, this framework will last longer than Privacy Shield and Safe Harbour.
How can Burges Salmon help?
If you would like any further information, please contact David Varney or another member of our Data Protection team.