With the new EU-US Data Privacy Framework in place, personal data may again be transferred from the EU to any US-based commercial organization participating in the Framework free of further restrictions or authorizations.
On July 10, 2023 the European Commission (EC) adopted its adequacy decision for the EU-US Data Privacy Framework (DPF) (see EC’s press release, adequacy decision). According to the Commission, this Framework shall protect data subjects and provide legal certainty for companies.
The decision
Data exporters may rely on the new adequacy decision when transmitting data to US companies, once the US companies have enrolled in the Framework, without having to put in place additional safeguards (as previously required by the CJEU, see our Client Alert here). Similar to the late EU-US Privacy Shield, the list of participating companies is maintained and made publicly available by the U.S. Department of Commerce (list).
The level of data protection shall be ensured by a new set of binding safeguards introduced by the DPF and changes made in US intelligence services reflecting the CJEU’s concerns. These measures include new internal rules for US agencies as well as complaint and oversight procedures for EU data subjects. Data subjects will have access to the “Data Protection Review Court” (DPRC) free of charge. This court can order the deletion of personal data collected in violation of the principle of necessity or proportionality. In order to provide effective protection, data subjects need not prove that US agencies have accessed their data.
The next steps for EU and US companies
Starting on July 11, 2023 companies subject to the GDPR may rely on the DPF as a transfer tool for transmitting data to US companies participating in the Framework.
US companies must join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, in order to benefit from the adequacy decision
EU companies must review whether their US data importers are already enrolled in the Framework
Upon the change to the new transfer tool, relevant privacy documentation must be updated (privacy notices, registers of processing activities, data processing agreements, …)
Insights for current transfers
The adequacy decision relies materially on Executive Order 14086, titled ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086) and issued by US President Joe Biden on October 7, 2022 (see I.(6) of the decision). Based on the EC’s assessment, companies that have already incorporated Standard Contractual Clauses (SCCs) and conducted Transfer Impact Assessments while considering this Executive Order, may justifiably argue that the SCCs already provide appropriate safeguards. Furthermore, companies may contend that the need for “additional measures”, as initially required by the CJEU, is no longer applicable for transfers to the US after the issuance of the new Executive Order.
Likewise, the safeguards introduced by the US will continue to facilitate data transfers using other transfer tools (e.g. SCCs or binding corporate rules).
Dead on arrival?
Data privacy activists continue to note their scepticism and may again challenge the decision before the European Courts. Didier Reynders, Commissioner of the EC, confirmed that he is confident that the new systems adhere to the two principles required by the CJEUs case law, namely the necessity and proportionality of data access. He notes that the GDPR requires an adequate but not an identical level of protection. Therefore, even while some aspects between EU and US privacy law may differ, the overall protection provided in the US is sufficient. He further highlighted that the EC will monitor the implementation of the new measures introduced in the US. The first review shall take place within a year.
Nonetheless, in case such challenges by data privacy activists are successful, the adequacy decision may once again be short-lived. Therefore, companies may seek to still implement back-up and exit-strategies for alternative transfer mechanisms (e.g. Standard Contractual Clauses and Transfer Impact Assessments).
By Roland Marko and Johannes Sekanina, Associate, Wolf Theiss