Table of contents
What’s the news?
On 10 July 2023, the European Commission (EC) adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (DPF).
Where has this come from?
The DPF is a self-certification program setting out a series of principles for companies to follow when transferring personal data overseas (Principles). It is similar to its predecessors the “Safe Harbor” and the “Privacy Shield.” Those programs were invalidated by the Court of Justice of the EU (CJEU) in Schrems II, a case about Facebook’s privacy and data policies. In Schrems II, the CJEU raised a number of concerns, most prominently involving access to personal data of EU individuals by U.S. intelligence agencies. To address those concerns, US President Biden signed an Executive Order (EO 14086) set out new safeguards for data access.
A key feature of the safeguards is a redress mechanism for EU-based individuals whose personal data is transferred to the US Early in June this year, the Office of the Director of National Intelligence confirmed that the U.S. Intelligence Community has adopted the policies and procedures that implement the safeguards specified in EO 14086.
Under the General Data Protection Regulation (GDPR), companies are required to ensure personal data is adequately protected when transferred outside the EU. Requirements for appropriate safeguards have continued to evolve with detailed guidance from the EC.
How will this have an impact?
- The adequacy decision paves the way for organisations to certify to the DPF, reducing friction for transfers of personal data from the EU to the U.S. and allowing companies to simplify their compliance with EU data flow restrictions. It represents a major development in the regulation of data flows from the EU to the U.S.
- The Federal Trade Commission (FTC) will verify, through ex-officio investigations and complaints, whether companies comply with the Principles set out in the DPF. An organisation’s failure to comply is enforceable by the FTC under Section 5 of the FTC Act (U.S.), prohibiting unfair and or deceptive acts in or affecting commerce.
- Under the DPF, an individual can submit a complaint directly to either the company or the relevant EU country’s Data Protection Authority (DPAs).
- The European Commission will monitor the DPF through periodic factual and legal checks. This involves continuous monitoring of the overall functioning of the DPF, and compliance by U.S. authorities with their representations and commitments. The result of periodic joint reviews will be presented to the EU Parliament and Council of the EU. If the U.S. authorities do not fulfill their commitments, the DPF may be suspended by the EC.
- While the UK is no longer a member of the EU, the announcement of the EC’s adequacy decision also paves the way for the establishment of a “UK Extension to the Data Privacy Framework”, which would facilitate flows of personal data between the UK and the U.S. (the “Data Bridge”) under UK law. Once in place, it is expected that when U.S. companies self-certify to the DPF this will also allow them to receive UK personal data under the Data Bridge.
What do you as a business need to consider?
- The DPF will significantly simplify GDPR compliance for organisations transferring personal data from the EEA to the U.S. If an organisation self-certifies to the DPF, it will be able to freely transfer personal data to the U.S. without having to carry out a Data Transfer Impact Assessment (DTIA) or implement supplemental measures. This is because the DPF is considered to provide adequate protection for cross-border data flows.
- Companies that currently use standard contractual clauses (SCCs) should consider whether the DPF would be a more appropriate transfer solution. The SCCs have downsides, such as having to execute them with each customer, partner, or vendor that are part of a restricted data flow.
- Although the DPF may be challenged in court, similar to its predecessors, this will likely take a number of years. In the meantime, the DPF provides a data transfer mechanism that companies can manage through self-certification.
Need more information? Have further questions? You can reach Burch&Co’s Privacy and Data specialist, Hana Lee, here for guidance and support to help you navigate any changes and make the most of new opportunities.