knowledge 2 August 2023 |

European Commission adopts adequacy decision for the new EU-US Data Privacy Framework

Background 

In its July 2020 Schrems II judgment, the Court of Justice of the European Union (the “CJEU”) declared the European Commission’s Privacy Shield decision invalid. The CJEU’s main concerns were that (i) the access and use of personal data by US intelligence services and public authorities did not fulfil the requirements of proportionality and necessity as set out under the GDPR, and (ii) the Ombudsman mechanism did not provide effective redress mechanisms for EU data subjects to challenge surveillance practices.

After the invalidation of the Privacy Shield, the European Commission and the US Government entered into discussions on a new framework that would address the issues raised by the CJEU. In October 2022, US President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ which was accompanied by regulations issued by the US Attorney General.

What has changed? 

The adequacy decision concludes that the United States ensures an adequate level of protection, compared to the EU, for personal data transferred from the EU to US organisations participating in the EU - US Data Privacy Framework. So, what has changed to enable this conclusion?  

An essential element of the US legal framework on which the adequacy decision is based concerns the Executive Order and accompanying regulations mentioned above, which address the concerns raised by the CJEU. For Europeans whose personal data is transferred to the US, the Executive Order provides for: 

• binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
• enhanced oversight of US Intelligence authorities’ activities to ensure compliance with limitations on surveillance activities; and 
• an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.

The Data Privacy Framework provides individuals whose data will be transferred to participating organisations in the US with several new rights, for example, to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data.

What happens now?

US based organisations can now self-certify their participation in the Data Privacy Framework by committing to comply with a detailed set of privacy obligations. The Data Privacy Framework program is administered by the International Trade Administration (the “ITA”) within the US Department of Commerce. While the decision by an eligible US based organisation to self-certify its compliance is voluntary, effective compliance upon self-certification is compulsory. Once an organisation self-certifies to the ITA and publicly declares its commitment to adhere to the Data Privacy Framework obligations, that commitment is enforceable under US law.

To rely on the Data Privacy Framework for transfers of personal data from the EU, an organisation must not only self-certify its adherence to the Data Privacy Framework obligations to the ITA, but also be placed and remain on the Data Privacy Framework List. The ITA will update the Data Privacy Framework List on the basis of annual re-certification submissions made by participating organisations and by removing organisations when they (i) voluntarily withdraw, (ii) fail to complete the annual re-certification in accordance with the ITA's procedures, or (iii) are found to persistently fail to comply. The ITA will also maintain and make available to the public an authoritative record of US organisations that have been removed from the Data Privacy Framework List and will identify the reason each organisation was removed. 

What does this mean for Standard Contractual Clauses and Binding Corporate Rules?

The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. This means that the safeguards also facilitate the use of other tools, such as Standard Contractual Clauses and Binding Corporate Rules, and lower the risk of transferring personal data to the US in general.

What’s next?

This adequacy decision is an important step toward securing valid legal transfers of personal data between EU and US organisations and will be welcomed by small and large organisations alike. Despite this, the Data Privacy Framework Agreement has already been criticised by non-profit group ‘noyb’, led by Max Schrems, which said it would challenge the agreement. 

The European Commission will continuously monitor relevant developments in the US and regularly review the adequacy decision, with the first reviewing taking place within one year after the adoption of the adequacy decision. Periodic future reviews will take place at least every four years. It is important to note that adequacy decisions can be adapted or even withdrawn in case of developments affecting the level of protection in the relevant country. 

Also contributed to by Alice Dunphy