News and developments
Navigating the EU-US Data Privacy Framework: A Relief for US Organizations
Introduction
Due to the significant transfer of personal data from the European Economic Area (“EEA”) to the United States (“US”), there is a collective sigh of relief among US-based organizations, especially cloud-based services operating in the US. This is because of the European Commission’s (“Commission”) adoption of its adequacy decision for the new EU-US Data Privacy Framework (“DPF”) on 10 July 2023.[1]
The DPF concludes that the US ensures adequate protection for personal data transferred from the EEA to companies that participate in the DPF. Therefore, European organizations can since July transfer personal data to those entities without any additional data protection safeguards regulated under the General Data Protection Regulation (“GDPR”).
In this article, we will provide a summary of this groundbreaking decision, DPF, which has far-reaching implications, and other pertinent adequacy decisions.
Background
The GDPR mandates an adequate level of data protection for personal data transfers outside the EEA. Mechanisms that guarantee adequate protection under the GDPR follow a graduated rule-exception principle. The basis is Article 45 of the GDPR, which expressly permits a transfer to a third country if the Commission has decided that the third country, a region, or several specific sectors in this third country offer an adequate level of protection.
Previously, two attempts were made to ensure an adequate level of protection for data transfers from the EEA to the US. First, the EU-US Safe Harbor Framework, and then the EU-US Privacy Shield Framework were both invalidated by the Court of Justice of the European Union (“CJEU”) in its Schrems I and Schrems II rulings due to concerns over US surveillance practices. The CJEU thought that the US surveillance powers weren’t restricted enough by US law and data subjects lacked a means of enforcing their rights in US courts. This makes it impossible for data exporters to transfer personal data to the US without an adequate level arrangement and implementing sufficient measures to ensure adequate protection. This necessitated the creation of the DPF to address these shortcomings.
The DPF in a Nutshell
Since both adequacy decisions failed mostly due to the possibility of US agencies surveilling personal data, it is not surprising that the DPF improves its predecessors by restricting their ability to gain access to the personal data of EEA data subjects. Notably, the DPF introduced the Data Protection Review Court (“DPRC”), a new and independent tribunal, to ensure that EEA data subjects have avenues for seeking compensation and dispute resolution. With those provisions, the DPF aims to rectify past issues, providing a robust and GDPR-compliant framework for data transfers to the US.
However, the mere existence of the DPF is not enough for a GDPR-compliant transfer of personal data to the US. The DPF only applies to transfers made to certified and listed organizations. In other words, for US organizations to benefit from the DPF, self-certification is mandatory. Therefore, US organizations must self-certify to the International Trade Administration (“ITA”) at the US Department of Commerce through the DPF website[2] and publicly commit to comply with the DPF principles which can be summarized as follows:
The Notice Principle
An organization must provide transparency regarding the processing of personal data.
The Choice Principle
An organization must offer individuals the opportunity to choose whether their personal data is to be disclosed to a third party or used for a purpose different from the purposes for which it was originally collected.
The Accountability for Onward Transfer Principle
An organization must comply with the previous principles and enter into a data protection agreement with the data importer.
The Security Principle
An organization must ensure the security of personal data.
The Data Integrity and Purpose Limitation Principle
Processed personal data must be accurate, complete, and current and processing must be limited to the relevant purpose.
The Access Principle
Individuals must have access to their personal data and have the opportunity to correct, amend, or delete inaccurate or unlawfully processed personal data.
The Recourse, Enforcement, and Liability Principle
Individuals must have the right to enable effective legal protection and recourse.
The endorsement of the DPF will also influence transfer impact assessments ("TIA") conducted by companies. For those depending on the EU-US Framework, a TIA may not be required from a technical standpoint, as the adequacy decision for the EU-US Framework substitutes the adequacy assessment in the TIA.
To rely on the DPF for a US-based organization, would not be enough to commit to those principles and self-certify. Moreover, the relevant organization has also to be placed and remain on the DPF List which is updated annually using re-certification submissions from participating organizations and by removing those that voluntarily withdraw or fail to comply with the principles.
As stated above US organizations may freely decide whether to join the DPF Program. On the other hand, compliance with the DPF after self-certification is mandatory. Thus, the commitment to adhere to the DPF Principles is enforceable under US law. The Federal Trade Commission (“FTC”) and the Department of Transportation (“DOT”) ensure compliance by issuing compliance orders or financial penalties for ongoing violations. Persistent failure to adhere to the principles results in removal from the DPF List and the organizations must return or remove all personal data received under the DPF.
As mentioned above, the DPF aims to provide EEA data subjects with robust mechanisms for seeking compensation and resolving disputes while ensuring an adequate level of data protection. On 24 April 2024, the European Data Protection Board (“EDPB”) issued new rules of procedure outlining the cooperation and respective roles of national supervisory authorities and the EDPB Secretariat concerning the submission of complaints within the available redress mechanisms.[3] These mechanisms address alleged violations of US law related to data collected by US authorities for national security purposes. The guidance documents include rules of procedure in the form of Q&A information, an information note on the DPF redress mechanism for national security purposes, a template complaint form for the US Office of the Director of National Intelligence's Civil Liberties Protection Officer, the Rules of Procedure for the "Informal Panel of EU DPAs" under the DPF, and a template complaint form for commercial-related grievances to be submitted to EU data protection authorities.
UK Extension and Swiss DPF
The DPF is designed for regulating data transfers between the EU and the US; however, it has not extended its applicability to data transfers from the UK to the US since the DPF was adopted after Brexit.
On the other hand, on 12 October 2023, not long after the Commission's decision, the United Kingdom (“UK”) Extension to the DPF (“UK Extension”) – also known as the UK - US Data Bridge – entered into force.[4] This development clears the path for seamless transatlantic personal data transfers from the UK to the US. Importantly, the UK Extension allows the transfer of personal data from the UK to the US without necessitating additional safeguards. Before initiating the transfer of personal data to the US, a UK-based exporter is required to verify that the US-based recipient has undergone self-certification under the DPF and has enrolled in the UK Extension. This verification process can be easily completed by searching for the DPF List.
At the same time, the Swiss-US Data Privacy Framework (“Swiss-DPF”) entered into force on 17 July 2023 for data transfers from Switzerland to the USA. However, personal data cannot be received from Switzerland in reliance on the Swiss-DPF until the date of entry into force of Switzerland’s recognition of adequacy.[5]
Conclusion
The unveiling of the EU-US Framework has been highly anticipated by numerous US-based companies, particularly those operating in sectors reliant on cross-border data flows, such as AI, cloud computing, and social media platforms. At this stage, it is evident that US companies and European entities are relieved that no further data protection safeguards are needed for transfers to self-certified organizations. Therefore, the DPF holds the potential to act as a crucial facilitator in advancing the trans-Atlantic technology and data economy for these entities.
Yet, as the DPF is the third adequacy decision of the US, its longevity remains uncertain. In fact, the DPF has already been challenged on 6 September 2023 by a member of the French Parliament raising concerns over the lack of sufficient guarantees for an effective remedy, and especially the lack of transparency in the DPRC procedure. Further arguments are that the minimization and proportionality principles of the GDPR are breached due to US mass surveillance. However, the EU General Court rejected the request for interim relief on the basis that the applicant had not demonstrated the urgency of the measures sought. On the other hand, it is expected that more challenges against the DPF will be seen by the CJEU. Therefore, US organizations should consider implementing safeguards to mitigate potential disruptions, emphasizing the need for ongoing vigilance in the dynamic landscape of international data transfers.
Author: Sevgi Ünsal Özden, Gülnur Çakmak Ergene
Footnotes
[1] For the Commission Implementing Decision of 10.07.2023, see https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf
[2] For the website of the Data Privacy Framework Program, see https://www.dataprivacyframework.gov/s/ (Access Date: 16.05.2024) and for US-based organizations that are already certified, see https://www.dataprivacyframework.gov/list
[3] For the guidance documents, see https://www.edpb.europa.eu/our-work-tools/our-documents/other-guidance/rules-procedure-data-protection-framework-redress_en
[4] For the Data Protection (Adequacy) (United States of America) Regulations 2023, see https://www.legislation.gov.uk/uksi/2023/1028/made
[5] For detailed information regarding the Swiss-US Data Privacy Framework, see https://www.dataprivacyframework.gov/s/article/FAQs-Swiss-U-S-Data-Privacy-Framework-Swiss-U-S-DPF-1-4-dpf