New York, N.Y. (July 14, 2023) – On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), creating a new pathway for data transfers. In this decision, the European Commission states that the new safeguards implemented by the United States via Executive Order 14086 (EO) ensures an adequate level of protection for personal data transferred from the European Union (EU) to companies participating in the DPF. Therefore, EU companies can freely transfer personal data to participating companies in the U.S. without additional data protection safeguards.
This development comes after the previous agreement between the EU and the U.S. – the "Privacy Shield" – was deemed invalid by the EU's Court of Justice on July 16, 2020. The DPF provides EU individuals with new rights related to their data that is being transferred. These include the right to obtain access to their data, correct or delete incorrect data, and the right to bring forth a complaint free of charge.
Participation in the EU-US DPF
U.S. companies can self-certify their participation in the DPF by signing up on the newly launched website. By certifying under the DPF, companies agree to abide by the following privacy principles:
- Purpose limitation and choice – Personal data should be collected for a specific purpose and used only for that purpose.
- Processing of special categories of personal data – There should be special safeguards for sensitive personal information, such as medical or health conditions, and companies must obtain express consent from individuals to use this special category of information.
- Data accuracy, minimization, and security – Data collected must adhere to the specific purpose for which it was collected and companies should make sure that the data collected is accurate for that purpose. Additionally, companies need to make sure the data is protected through technical and organizational measures.
- Transparency – Data subjects should be informed of a company's participation in the DPF, as well as (1) the type of data the company collects, (2) the purpose of the processing, (3) third party disclosures and the purposes of those disclosures, (4) data subject rights, (5) how to contact the company, and (6) what redress mechanisms exist for data subjects.
- Individual Rights – Data subjects have certain rights that include the right to access data collected on them, the right to object to the processing of their personal data, and the right to have data rectified and erased.
- Restrictions on onward transfers – The level of protection agreed to between an EU company and U.S. company certified under DPF must remain if the data is further transferred to another third company, regardless of whether the third company is located within the U.S.
- Accountability – Companies are required to institute appropriate technical and organizational measures to comply with their data protection obligations.
The U.S. Department of Commerce administers the DPF and will process applications, while the U.S. Federal Trade Commission will enforce DPF compliance. Moreover, as the International Trade Administration announced in its Privacy Shield Program Update of July 11, 2023, companies that are certified under the Privacy Shield will automatically have their certification transferred to DPF as long as they update their privacy policies by October 10, 2023. These companies do not have to make a separate self-certification application. Note that companies that have certified themselves to the Privacy Shield, but do not wish to follow DPF, must submit a withdrawal certification.
Should Companies Self-Certify Now?
Companies should be aware that the DPF's predecessor, the Privacy Shield, was challenged and subsequently invalidated through a lawsuit brought by privacy advocacy organization Not Your Own Business (NYOB) or Max Schrems, who has been the face of these lawsuits. NYOB is committed to filing an appeal to invalidate DPF as well. Therefore, there is a risk that companies will have to revert to previous mechanisms instead of relying on DPF. Companies should conduct an internal assessment of business needs and consider the time and cost associated with certifying with the DPF.
The good news is that companies have more leverage to enter into data transfer agreements through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) without signing up for the DPF as well. For example, under the DPF, companies would not have to conduct a Transfer Impact Assessment (TIA). However, a company that is required to conduct a TIA when using SCCs and BCRs, would not experience the same barriers that existed because a Data Protection Authority would have to consider the adequacy decision and conclude that the data transfer is sufficiently protected. This is in part because the adequacy decision relies on the EO, which established new binding safeguards that limit data access by U.S. Intelligence authorities and created an independent redress mechanism that would investigate and resolve complaints regarding access to data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.