Navigating the new EU-US Data Privacy Framework

Paul Voigt, Axel von dem Bussche and Alexander Schmalenberger look at the new EU-US adequacy decision for the Data Privacy Framework and at what that means for EU-US data transfers.

In the ever-evolving landscape of data privacy, the recently adopted EU-US Data Privacy Framework (DPF) marks a significant improvement for EU data exporters and US data importers alike. We shed light on this new framework, its key components, and its implications for businesses on both sides of the Atlantic.

Unraveling the EU-US Data Privacy Framework

The EU-US Data Privacy Framework is a landmark set of rules and binding safeguards that govern the transfer of personal data between the EU and the US. The European Commission adopted its adequacy decision on the DPF on 10 July 2023 and it came into force the same day. It confirms that the US provides an "adequate" level of protection for the data of individuals residing in the EU for those data recipients participating in the framework. This comes more than a thousand days after the ECJ’s 'Schrems II' ruling, which invalidated the predecessor regime EU-US Privacy Shield and left transatlantic data transfers in a regulatory quagmire.

Key takeaways from the DPF

• Unhindered and secure data flows: the DPF facilitates the frictionless and secure flow of personal data between the EU and participating US companies.
• Restrictions on data access: Access to data by US intelligence agencies is limited to what the US considers necessary and proportionate to protect national security.
• Redress mechanism: A new two-tier redress system is in place to investigate and resolve complaints from European individuals about the access to and use of their data by US intelligence agencies. 
• Company obligations: companies processing data transferred from the EU wishing to rely on the DPF must self-certify their adherence to the standards through the US Department of Commerce. 
• Monitoring and review mechanisms: the DPF incorporates specific monitoring and review mechanisms to ensure compliance. 

The business implications of the DPF

The DPF is a significant victory for both small and medium-sized companies and large cloud and social media companies. It resolves the uncertainty about the legal basis for transatlantic data transfers, offering a less burdensome and complex alternative to other transfer mechanisms such as the Standard Contractual Clauses.

A closer look at the DPF

What are the noteworthy changes?

The completion of the DPF was a political challenge for both the US and the EU. Following the Schrems II decision, the US has made concessions regarding legal recourse possibilities for EU individuals and more proportionate data collection by surveillance agencies.

What is the new redress mechanism?

The new redress mechanism, which allows EU individuals to seek redress through their national authorities via the proposed Data Protection Review Court (DPRC), is a significant advancement. However, questions remain regarding the court’s independence and the transparency of the mechanism.

The DPRC is an executive body, not part of the judicial branch, which raises questions about its independence. Its role is to investigate and resolve complaints from Europeans, but its position within the executive branch could potentially influence its decisions, leading to concerns about impartiality.

In addition, the court is only allowed to give a simple decision, without confirming or denying that the complainant was subject to US signals intelligence activities. This approach raises further questions about the transparency of the mechanism. The complainants and the public may not fully understand the basis of the court's decisions, which could lead to a lack of trust in the process.

The effectiveness of the redress mechanism will largely depend on how it is implemented in practice. It remains to be seen how accessible the mechanism will be for EU individuals, how efficiently complaints will be processed, and whether the decisions of the DPRC will effectively remedy any violations of privacy rights.

Has surveillance been adequately addressed under President Biden's order?

Under President Biden's Executive Order (EO), the US made significant concessions to the EU by stipulating that access to EU data by US intelligence authorities should be limited to what is necessary and proportionate to protect national security.

However, the interpretation of terms like "necessary", "legitimate", and "(dis)proportionate", may vary between the EU and the US. For instance, what the US considers a "legitimate" national security objective might be viewed differently in the EU. Similarly, the US and EU might have different thresholds for what constitutes a "disproportionate" impact on privacy and civil liberties.

While the EO represents a significant step towards aligning US practices with EU standards, it is not yet clear whether it has resulted in an actual alignment of standards. This will depend on how the US implements these changes in practice, and how these practices are perceived and evaluated by the EU Commission and the ECJ.

What's next?

We can expect ongoing dialogue and collaboration between the EU and the US to ensure the effective implementation of the DPF, however, uncertainties regarding the longevity of the framework will remain, not least because Max Schrems has already announced a legal challenge.

The DPF will simplify data transfers from the EU to certified data importers in the US However, due to uncertainties regarding the validity of the framework, many EU data exporters may prefer to additionally use other transfer mechanisms such as EU SCCs in conjunction with transfer impact assessments to “backup” the DPF certification.

Understanding the self-certification process under the DPF – how to join

The DPF does not automatically apply to any US company. As with the Privacy Shield, one of the key components is the self-certification process. This is designed to ensure that organizations adhere to the DPF principles and provide adequate protection for personal data transferred from the EU to the US. 

Smooth transition for Privacy Shield participants

The US Department of Commerce (DOC) will soon publish guidance for those currently participating in the EU-US Privacy Shield Framework to ensure a smooth transition to the Privacy Framework. According to its website, it considers the DPF to be immediately applicable to organisations that have self-certified their commitment to comply with the principles of the EU-US Privacy Shield Framework. They will need to update their references in their privacy policies from the EU-US Privacy Shield Framework to the DPF by 10 October 2023. The organisation's recertification deadline will not change. If an organization does not wish to commit to the DPF, it must declare its withdrawal.

The self-certification process for “new” joiners

To benefit from the EU-US Data Privacy Framework, an organization that were not committed to the EU-US Privacy Shield Framework must self-certify its adherence to the Principles with the DOC. This self-certification process involves submitting a detailed report by a corporate officer on behalf of the organization. This report must include:

• The name of the organization and any US entities or subsidiaries also adhering to the Principles.
• A description of the organization's activities with respect to personal information received from the EU.
• A description of the organization's privacy policies for such personal information, including where these policies are available for public viewing.
• A contact office within the organization for handling complaints, access requests, and other issues arising under the Principles.
• The specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of privacy laws.
• The name of any privacy program in which the organization is a member.
• The method of verification (i.e. self-assessment; or outside compliance reviews, including the third party that completes such reviews).
• The independent recourse mechanism(s) available to investigate unresolved complaints related to the Principles.

On 11 July 2023, the US International Trade Administration confirmed that from 17 July 2023, US organisations may self-certify compliance to the EU-US DPF.  On July 17, 2023, visit the Data Privacy Framework (DPF) program website to make initial self-certification submissions. The website will also provide a variety of guidance. 

Special considerations for human resources Data

If an organization wishes to rely on the DPF to cover HR information transferred from the EU for use in the employment relationship, it must declare its commitment to cooperating with the EU authority or authorities concerned and comply with their advice. The organization must also provide a copy of its human resources privacy policy and information on where this policy is available for viewing by its affected employees.

Maintaining and updating self-certification

The DOC will maintain and make publicly available a list of organizations that have filed completed self-certification submissions and will update this list based on annual recertification submissions and notifications received. Organizations must recertify annually; otherwise, they will be removed from the list, and the benefits of the DPF will no longer apply.

Withdrawal from the DPF

An organization that wishes to withdraw from the DPF must notify the DOC in advance and indicate what it will do with the personal data it received in reliance on the Framework. If the organization chooses to retain the data, it must either affirm its commitment to continue to apply the Principles to the data or provide “adequate” protection for the data by other authorized means.

Changes in corporate status

An organization that will cease to exist as a separate legal entity due to a change in corporate status must notify the DOC in advance. The notification should indicate whether the resulting entity will continue to participate in the DPF, self-certify as a new participant, or put in place other safeguards.

Misrepresentation and compliance

If an organization leaves the DPF for any reason, it must remove all statements implying that it continues to participate in the Framework or is entitled to its benefits. Any misrepresentation concerning an organization's adherence to the Principles may be actionable by the FTC, DOT, or other relevant government bodies.

Next Steps

As we continue to navigate the evolving landscape of data privacy, it is crucial for organizations to stay informed and proactive. The new DPF presents both opportunities and challenges, and understanding its implications is key to ensuring compliance and leveraging its benefits.

• Review and understand the DPF: familiarize yourself with the key components. Understand the obligations it imposes, the rights it grants, and the mechanisms it provides for redress and compliance.
• Consider self-certification: if your organization receives personal data from the EU in the US, consider whether self-certification under the new framework is the right step for you. Review the self-certification process and requirements, and assess your organization's readiness to comply.
• Update your privacy policies and practices: review your current privacy policies and practices to ensure they align with the Principles of the new framework. This includes your policies on data access, redress mechanisms, and compliance verification.
• Monitor updates and guidance: watch out for guidance from the DOC, especially if you're currently participating in the Privacy Shield Framework. This will be crucial in facilitating a smooth transition to the new framework. Note that the EDPB is also planning to publish guidance.
• Seek legal advice: Given the complexities of data privacy laws and the potential implications of non-compliance, consider seeking legal advice. A data privacy lawyer can provide tailored advice based on your organization's specific circumstances and needs. 
• Stay informed: keep an eye on our Global Data Hub for updates and insights into the world of data privacy. As the situation evolves, we will continue to provide the latest information and expert analysis to help you navigate these changes. You can sign up for regular updates here.  

Remember, the journey to data privacy compliance is ongoing. As the DPF takes effect, it's more important than ever to stay informed, proactive, and prepared. If you have any questions or need further clarification on any points, feel free to reach out to us.

All in all, the DPF and the EU adequacy decision will facilitate frictionless data flows for EU businesses looking to export personal data to the USA and for US importers, with UK and EEA country organisations also likely to benefit shortly. Read more about the UK perspective on the DPF here.