What is the EU-U.S. DPF?
Under the EU-U.S. DPF, EU organisations will be able to transfer personal data from the EU to the United States freely if and to the extent that the U.S. recipient has self-certified under the new EU-U.S. DPF regime (similar to the certification under the former EU-U.S. Privacy Shield. No EU standard contractual clauses will be required for transfers covered by EU-U.S. DPF certification. Where the U.S. recipient is a processor and the EU entity is a controller, putting in place an EU standard contractual clause containing the requirements of article 28 of the GDPR will suffice.
In order to self-certify, U.S. organisations must publish privacy policies that align with the EU-U.S. DPF privacy principles and implement them when handling EU personal data. They will be required to recertify annually. Compliance with the EU-U.S. DPF principles will be enforced by the U.S. Federal Trade Commission and the U.S. Department of Transportation. The U.S. Department of Commerce will administer and monitor the EU-U.S. DPF. EU data subjects will be able to enforce their rights by bringing a complaint directly to a self-certified U.S. organisation, to an independent dispute resolution body in the United States or in the EU free of charge, to an arbitration panel, or to their national data protection authority in the EU.
Beyond the certification regime set up for U.S. companies, the EU-U.S. DPF envisages an acceptance of EU standard privacy principles and of appropriate internal changes to policies by U.S. intelligence agencies. Where the U.S. recipient is not certified under the EU-U.S. DPF and relies on EU standard contractual clauses for transfers, the changes to the practices of U.S. intelligence agencies caused by the EU-U.S. DPF will result in many EU-U.S. data transfers being greenlit following mandatory transfer impact assessments.
What has changed in the U.S. legal framework to allow adequacy?
The previous EU-U.S. Privacy Shield was invalidated by the Court of Justice of the European Union in 2020 due to the lack of protection given to EU personal data. In its draft adequacy decision, the Commission stated that the level of protection does not have to be “identical” or a “point-to-point replication of Union rules” to be adequate, but that it is necessary that “the foreign system as a whole delivers the required level of protection”. According to the Commission, President Biden’s Executive Order of 7 October 2022 (EO), which is binding on U.S. intelligence agencies, revised and strengthened the restrictions on access to EU personal data and introduced new redress mechanisms for data subjects.
U.S. surveillance bodies have until 7 October 2023 to bring policies and procedures into line with the EO. Once the updated policies and procedures are in place, the U.S. Privacy and Civil Liberties Oversight Board (PCLOB) will conduct a review to ensure they are consistent with the EO. After completion of the review, each intelligence service has 180 days to consider and implement or otherwise address all PCLOB recommendations.
The Commission will regularly review the adequacy decision for effectiveness, once adopted, the first review to take place within one year of adoption and subsequent reviews to take place every four years.
What are the next steps?
The EU Justice Commissioner, Didier Reynders, expects the adequacy decision to be finalised before July 2023. It is not clear how this expectation aligns with the 7 October 2023 deadline for U.S. intelligence agencies mentioned above. Given this deadline, it may well be that the adequacy decision only comes into effect if U.S. intelligence agencies have met their obligations as set out in the EO.
A few steps first need to be taken. The European Data Protection Board will need to provide its non-binding opinion on the draft adequacy decision. Then a committee representing the EU member states will need to approve the draft, as will the European Parliament.
The EU draft adequacy decision is a strong response to critical statements by some EU data protection authorities after the EO was published. The Commission conducted a thorough analysis of the EO and the respective U.S. legal framework and argues that the EU-U.S. DPF is now based on a legal foundation that has solid grounds in case of possible claims before the Court of Justice of the European Union.
Client Alert 2023-001
