On July 10, the European Commission formally adopted the EU-U.S. Data Privacy Framework (DPF). The Commission’s adequacy decision (and the documentation package accompanying it, including the FAQ) brings welcome news: for certified DPF participants, personal data can flow between the European Economic Area (EEA) and the United States (U.S.) without the need for additional safeguards such as Standard Contractual Clauses, and without the need for transfer risk assessments (TRA). The adequacy decision does not extend to all transfers of personal data, only to those within the DPF. Consequently, eligible US data importers should consider preparing to (re)-certify to facilitate transfers from the EEA.
This post provides an overview of the DPF for “importers” of personal data to the U.S. and “exporters”, as well as for personal data transfers from the United Kingdom to the U.S.
The DPF, A Refreshed Privacy Shield?
The DPF replaces two previous frameworks (first, Safe Harbor and then, Safe Harbor’s replacement, Privacy Shield) under which certain U.S. organizations could certify their participation for the purpose of receiving personal data from the EEA (which then included the UK). Both frameworks benefited from an adequacy decision by the EU Commission until they were found unlawful by the European Court of Justice (ECJ), most recently in the Schrems II judgment of July 2020.
Based on the new adequacy decision, the DPF certification process will include many obligations and requirements similar to the Privacy Shield.
What’s Different this Time?
A key element in the EU’s assessment of the protection afforded by the DPF is President Biden’s Executive Order 14086 ‘Enhancing Safeguards for U.S. Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the Attorney General (AG Regulation). Together, the EO 14086 and the AG Regulation seek to address concerns relating to bulk digital surveillance undertaken by U.S. law enforcement and intelligence agencies which underpinned the ECJ’s judgment in Schrems II.
For Data Exporters: Is your Data Importer on the DPF list?
The DPF applies to a U.S. organization that:
- publicly commits to the ‘EU-U.S. Data Privacy Framework Principles’, including the Supplemental Principles issued by the U.S. Department of Commerce (DoC) (the Principles”); and
- is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT).
Self-certification is not enough. Recital (49) of the adequacy decision emphasizes that “organizations certifying for the first time are not allowed to publicly refer to their adherence to the Principles before the DoC has determined that the organization’s certification submission is complete and added the organization to the DPF List.” Once on the DPF list a US data importer is a “DPF Participant”.
It will be essential periodically to renew that check since organizations must annually re-certify their participation in DPF.
Key Dates For U.S. Data Importers
The DoC published on July 11, 2023 a list of key dates and actions points for U.S. Data Importers that wish to (re)certify, as follows:
- Organizations that certified to the Privacy Shield must comply with the DPF, including updating their privacy policies to reflect DPF by October 10, 2023. They do not need to make a separate submission and may rely on the DPF immediately. Conversely, if your organization was on the Privacy Shield list but does not want to adhere to the DPF, you must formally withdraw;
- On July 17, 2023, the DPF program website (https://lnkd.in/eng9mbNc) will launch, to enable U.S.-based organizations that were not certified under the Privacy Shield to make initial self-certification submissions to participate in the EU-U.S. DPF. The DPF program website will also, according to the authorities, provide a variety of guidance materials and related resources.
Enforcement: The Roles of the DoC and FTC
The DoC will deploy a range of mechanisms to monitor, on an ongoing basis, the effective compliance with the Principles by DPF Participants. In particular, it will carry out compliance ‘spot checks’ of randomly selected organizations.
Organizations that do not re-certify or that persistently fail to comply with the Principles will be removed from the DPF List and must return or delete the personal data received under the Framework.
Further, the FTC will enforce the Principles. The FTC’s enforcement toolkit includes: (i) monetary fines of up to $50,120 per violation, or $50,120 per day for a continuing violation, and (ii) injunctions.
Onward transfers under the DPF
Onward transfer of personal data can take place only:
- for limited and specified purposes;
- on the basis of a contract between the DPF Participant and the third party (or comparable arrangement within a corporate group); and
- if that contract requires the third party to provide the same level of protection as the one guaranteed by the Principles.
Additional protections apply in the case of an onward transfer to a processor. In such a case, the U.S. organization must ensure that the processor only acts on its instructions and must take reasonable and appropriate steps:
- to ensure that personal data is processed in a manner consistent with the organization’s obligations under the Principles; and
- to stop and remediate unauthorized processing, upon notice.
The DPF Participant may be required by the DoC to provide a summary or representative copy of the privacy provisions of its contract with the processor. Where compliance problems arise in a (sub-)processing chain, the organization acting as the controller of the personal data will in principle face liability unless it can prove that it is not responsible for the event giving rise to the damage.
The Redress Mechanism
A key element in the ECJ decisions to strike down both Safe Harbor and Privacy Shield was the lack of an effective redress mechanism for individuals whose personal data is transferred to the U.S. That is, prior to DPF, EEA individuals did not have an effective way to seek legal relief if they believed they were unlawfully targeted by certain U.S. national security laws.
To secure EU approval of the DPF, the U.S. Government established a two-layer redress mechanism, with independent and binding authority, to handle and resolve complaints from any individual whose data has been transferred from the EEA to organizations in the U.S. about the collection and use of their data by U.S. intelligence agencies.
Individuals can submit a complaint to their national data protection authority. Complaints will be investigated by the ‘Civil Liberties Protection Officer’ of the U.S. intelligence community. This person is responsible for ensuring compliance by U.S. intelligence agencies with privacy and fundamental rights. From there, individuals may appeal the decision of the Civil Liberties Protection Officer before the Data Protection Review Court (DPRC), an independent body established by the Attorney General on the basis of EO 14086. The DPRC has power to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and to make binding remedial decisions. In each case, the DPRC will select a special advocate with relevant experience to ensure that the complainant’s interests are represented and that the DPRC is well informed of the factual and legal aspects of the case.
Redress for non-compliance with the Principles
The new EU adequacy decision includes additional avenues to recourse that are clearly designed to head off challenges based on lack of redress for non-compliance by DPF organizations. For example, recital (69) emphasizes that data subjects may pursue cases of non-compliance with the Principles through direct contacts with DPF organizations. To facilitate resolution, the organization must put in place an effective redress mechanism to deal with such complaints. An organization’s privacy policy must clearly inform individuals about a contact point, either within or outside the organization, that will handle complaints (including any relevant establishment in the Union that can respond to inquiries or complaints), and it must identify a designated independent dispute resolution body (either in the United States or in the Union). Upon receipt of an individual’s complaint, directly from the individual or through the DoC following referral by a data protection authority (DPA), the organization must provide a response to the data subject within a period of 45 days. Likewise, organizations are required to respond promptly to inquiries and other requests for information from the DoC or from a DPA (where the organization has committed to cooperate with the DPA) relating to their adherence to the Principles.
To support compliance, the DoC may verify that DPF organizations are registered with the independent recourse mechanisms they identify in their privacy notice.
Is the DPF Going to Last, What About a Schrems III?
Considerable efforts have been put by the EU and the U.S. to come up with a strengthened transfer framework. Both partners expressed their confidence that the regime is going to last. Some officials and privacy advocates are, however, already questioning the validity and effectiveness of the DPF.
Critics point out that individual data subjects will not have any direct interaction with the DPRC, and that the outcome of its consideration will be a statement “without confirming or denying that the complainant was subject to United States signals intelligence activities, that: “the review either did not identify any covered violations or the Civil Liberties Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation”. Whether the Court of Justice would accept this as “judicial redress” under Article 47 of the EU’s Charter of Fundamental Rights remains to be seen. Further, despite its name, campaigners assert that the DPRC cannot legitimately be described as a court or tribunal. However, though a renewed challenge on that basis is likely, the outcome of the case is unpredictable. In the meantime, the EU’s newly adopted adequacy decision stands and provides relief for organizations whose operations depend on, or involve, EEA to U.S. transfers of personal data.
Accordingly, keeping a set of SCCs in your back pocket (or an undertaking from your exporter to enter into SCCs in case of invalidation) might prove helpful.
Don’t forget Article 3
Recital (8) of the EU adequacy decision states that while personal data transfers from controllers and processors in the EEA to certified organizations in the United States may take place without the need to obtain any further authorization, this does not affect the direct application of Regulation (EU) 2016/679 to such organizations where the conditions regarding the territorial scope of that Regulation, laid down in its Article 3, are fulfilled.
Thus, it remains essential to determine whether the U.S. recipient is directly subject to GDPR. Under GDPR Article 3 that would be the case where the U.S. organization meets either:
- the “establishment test” under Article 3(1), where the U.S. organization has either physical premises in the EEA, or where it operates through “stable contractual arrangements” such as with sales representatives; or
- the “targeting test” under Article 3(2), where the U.S. organization either offers goods or services to individuals within the EEA, or monitors individuals’ behavior within the EEA.
Where a U.S. organization is directly subject to GDPR it must meet its obligations as controller or processor. Where that organization has an establishment within the EU, then that establishment will be the point of enforcement. Where the organization is caught by the “targeting test” in Article 3(2), then it must appoint a representative under GDPR Article 27 to serve as the point of contact with EU supervisory authorities.
Does the EU decision apply to transfers from the United Kingdom?
The EU’s adequacy decision does not apply to transfers of personal data made from the UK and governed by the UK’s post-Brexit data protection laws in the Data Protection Act 2018 and UK GDPR. Negotiations for the creation of a UK-U.S. “data bridge” have been underway for some time and seem highly likely to lead to a UK adequacy decision in favor of the U.S..
The DoC already anticipates the upcoming adoption by allowing eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF to do so as from July 17, 2023. Application requires adherence to the EU DPF as well. Logically, one will not be able to rely on the UK Extension to the EU-U.S. DPF to receive personal data transfers from the United Kingdom (and Gibraltar) before the date that the United Kingdom’s anticipated adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force.
In the meantime, while EU-U.S. transfers may proceed under the DPF, UK-U.S. transfers continue to require use of “appropriate safeguards” such as the ICO-approved International Data Transfer Agreement (IDTA) and a TRA. For now, the one potential benefit to UK organizations is that where personal data is being transferred to a U.S. organization that is on the DPF List, that fact can be considered as a positive element in the UK organization’s TRA.
Will the EU adequacy decision affect transfers outside the DPF?
The EU Commission’s decision is not an adequacy decision in favor of the U.S. as a whole or of any particular U.S. States. Rather, it is a strictly limited mechanism applicable to U.S. organizations that make a public commitment to the Principles and are added to (and remain on) the DPF List. Similar to the Privacy Shield, there are data importers that will not be able to certify, as they do not meet the certification requirements; the FTC or DoT supervision often being a barrier for specific sectors.
All other transfers of personal data to the U.S. that fall within GDPR Article 44 as “restricted transfers” remain subject to the requirement for “appropriate safeguards” under GDPR Article 46. This includes transfers to non-DPF organizations in the U.S. and onward transfers from DPF organizations whether to non-DPF organizations in the U.S. or to recipients in other countries that do not have the benefit of an EU adequacy decision. In those cases, appropriate safeguards will commonly be a TRA together with use of the EU Standard Contractual Clauses or (occasionally) Binding Corporate Rules for intra-group transfers plus supplemental measures such as encryption at rest and in transit. It is possible that the measures implemented by the US government to address concerns raised in Schrems II will also alleviate burdens on organisations in the EEA transferring to US organisations that are not DPF Participants. The measures in EO 14086 and the AG Regulation are not limited to DPF Participants but apply to all transfers of personal data to the US. Consequently, a TRA undertaken in relation to Standard Contractual Clauses or Binding Corporate Rules may reflect a reduction in risk sufficient to allow their use with fewer, or even with no, supplemental measures. However, the ongoing risk of challenge and the risk of “Schrems III” means that organisations would be well-advised to proceed with caution.
Next Steps
Be on the lookout for more guidance from our Data Privacy, Cybersecurity & Digital Assets Practice team on this exciting development and more details on how to take advantage of the DPF.
In the meantime, for more information contact one of the authors or your Squire Patton Boggs relationship partner.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.