New EU-U.S. Adequacy Decision Spells Major Development in Transatlantic Data Transfers
The European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”). The EU-U.S. DPF adequacy decision shows that the European Commission feels that “the United States ensures an adequate level of protection–comparable to that of the European Union–for personal data transferred from the EU to U.S. companies under the new framework.” This adequacy decision became effective on July 10, 2023. Though it is certain the EU-U.S. DPF adequacy decision will be challenged, for the moment, this is a major development in the facilitation of EEA-U.S. dataflows.
Overview of the EU-U.S. DPF Adequacy Decision
The European Commission has stated that “[t]he adequacy decision on the EU-U.S. Data Privacy Framework covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework.” If a U.S. organization receiving data from the European Economic Area (EEA) self-certifies to the EU-U.S. DPF, such EEA personal data will be able to flow freely and safely from the EEA to such U.S. organization that participates in the EU-U.S. DPF without the need for additional safeguards under Article 46 of the GDPR. However, the safeguards that have put in place by the U.S. government in the area of national security related to the EU-U.S. DPF’s adequacy decision will also facilitate the use of other transfer mechanisms, such as Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”) if U.S. organizations cannot (or decide not to) self-certify to the EU-U.S. DPF.
How Organizations can Join the EU-U.S. DPF
- Privacy Shield-Certified Organizations
Per the Department of Commerce (“DOC”), organizations that have self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles may begin relying immediately on the EU-U.S. DPF adequacy decision to receive personal data transfers from the European Union/European Economic Area. See DOC DPF Guidance. However, such organizations must update their privacy policies for DPF compliance and complete their EU-U.S. DPF self-certification by October 10, 2023. See id.
Organizations that are self-certified to comply with the EU-U.S. Privacy Shield Framework Principles but do not wish to participate in the EU-U.S. DPF must complete, in accordance with International Trade Administration (“ITA”) procedures, the withdrawal process referred to in section (f) of the ITA’s Supplemental Principle on Self-Certification.
- Organizations Not Privacy Shield-Certified
For those organizations not already Privacy Shield certified, on July 17, 2023, the ITA launched a website where users can to get more information about the EU-U.S. DPF, sign up with an account on the site, and perform the self-certification process. To certify under the EU-U.S. DPF (or re-certify on an annual basis), the European Commission has stated that organizations must publicly declare their commitment to comply with the EU-U.S. DPF Principles; make their privacy policies available; and fully implement them. Per the EU-U.S. DPF adequacy decision, as part of organizations’ re-certification application, organizations must submit information to the DOC concerning, among other things, the name of the relevant organization seeking self-certification; a description of the purposes for which the organization will process personal data; the personal data that will be covered by the certification; and the chosen verification method, the relevant independent recourse mechanism, and statutory body with jurisdiction to enforce the organization’s compliance with the EU-U.S. DPF Principles. The DOC listed 7 steps for entities to take to properly self-certify to the EU-U.S. DPF. The key elements of the seven steps laid out on the EU-U.S. DPF website are set forth below, along with a bonus recommendation we have added concerning third-party service provider management:
- Confirm Your Organization’s Eligibility to Participate in the EU-U.S. DPF. To quality for participation in the EU-U.S. DPF, organizations must be subject to the jurisdiction of the competent U.S. authorities, the U.S. Federal Trade Commission (“FTC”) or Department of Transportation (“DOT”). Some entities (e.g., many banks, insurers, and nonprofits) will not be eligible to participate.
- (i) the participation of the organization, and any of its subsidiaries, in the EU-U.S. DPF;
- (ii) the commitment of the organization to subject to the DPF all EU personal data received in reliance on relevant part(s) of the DPF program;
- (iii) the type of personal data collected;
- (iv) the purpose of the processing;
- (v) the type or identity of third parties to which personal data is disclosed and the purposes for doing so;
- (vi) individual data subject rights under the DPF, and how to exercise them;
- (vii) how to contact the organization;
- (viii) available redress avenues (including the organization’s selected independent dispute resolution entity); and
- (ix) the organization’s liability in cases of onward transfers to third parties.
- Implement an Appropriate Independent Recourse Mechanism for Each Type of Personal Data Covered by Its Self-Certification. Self-certifying organizations must provide an independent recourse mechanism (e.g., JAMS, BBB National Programs (BBB NP), TRUSTe, International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA), PrivacyTrust, VeraSafe), at no charge to individual data subjects, to investigate unresolved complaints brought under the EU-U.S. DPF Principles. This mechanism must be in place prior to an organization’s self-certification. If an organization’s self-certification covers HR data (i.e., personal information about your organization’s own employees, past or present, collected in the context of the employment relationship), your organization must “. . . agree to cooperate with and comply with the advice of the appropriate European data protection authorities with regard to such data.”
- Confirm Appropriate Third-Party Processor Selection, Contracting, and Monitoring Procedures are Implemented. Because organizations are required to enter into specified contractual provisions with their third-party processors and because they may face liability for actions of its processors unless they prove they are not responsible for the event giving rise to the damage, certifying organizations should ensure they have appropriate third-party processor selection, contracting, and monitoring procedures in place.
- Make the Required Contribution for the Annex I Binding Arbitration Mechanism. EU data subjects have the option under the EU-U.S. DPF to invoke binding arbitration to determine whether a participating organization has violated its obligations under the EU-U.S. DPF Principles as to that data subject and whether any such violation remains fully or partially unremedied. The DOC committed to maintaining a fund, to which participating organizations are required to contribute, to cover arbitral costs, including arbitrator fees, up to specified maximum amounts, based on the participating organization’s annual revenues. The ICDR-AAA was selected by the DOC to administer arbitrations and manage the arbitral fund. To make the required contribution, entities should visit the ICDR-AAA’s website at http://go.adr.org/privacyshieldfund.html.
- Verify DPF Attestations and Assertions. According to the DOC, self-certifying organizations must “. . .have procedures in place for verifying that their attestations and assertions about its DPF privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the DPF Principles.” Organizations must verify their attestations and assertions through self-assessment or through third-party compliance reviews.
- Designate an Internal Contact to Address EU-U.S. DPF Requests, Complaints, and Compliance. Organizations participating in the EU-U.S. DPF are required to provide a contact for the handling of complaints, access requests, and issues concerning their compliance with the EU-U.S. DPF. This contact may be the corporate officer certifying the organization’s compliance with the EU-U.S. DPF Principles, or another official within the organization, such as a Chief Privacy Officer. Under the EU-U.S. DPF Principles, organizations are required to respond to data subjects’ requests and complaints within 45 days.
- Compile the Information Required to Self-Certify and Submit Certification: Prior to submitting a self-certification via the EU-U.S. DPF website, organizations should compile the information required as part of the ITA’s online self-certification process. Then, the self-certification form should be completed. (See required self-certification information).
Although Organizations May Already Self-Certify to the UK-U.S. Extension and Swiss-U.S. Data Privacy Framework, Such Frameworks Are Not Yet Finalized
Although the UK-U.S. Extension and Swiss-EU Data Privacy Frameworks are not yet finalized, organizations can already self-certify their compliance with such frameworks. That being said, organizations may prefer to wait until they can rely on such frameworks to support relevant cross-border transfers before committing to compliance with such frameworks. In the remainder of this section, we provide information about such frameworks.
- UK Extension. The UK has committed to the creation of a data bridge to the U.S. via the UK Extension to the EU-U.S. DPF, which acknowledges the adequacy of protection provided to UK citizens by the EU-U.S. DPF. Effective July 17, 2023, eligible organizations in the U.S. may self-certify their compliance pursuant to the UK Extension, but they may not begin relying on the UK Extension to receive personal data transfers from the UK and Gibraltar until the United Kingdom’s adequacy regulations implementing the data bridge for the UK Extension are finalized and in force. Organizations wishing to participate in the UK Extension must also participate in the EU-U.S. DPF.
- Swiss-U.S. Framework. As of July 17, 2023, the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) principles enter into effect. Organizations that previously self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles must comply with the Swiss-U.S. DPF Principles, including by updating their privacy policies. Those organizations do not need to make a separate, initial self-certification submission to participate in the Swiss-U.S. DPF; however, they may not begin relying on the Swiss-U.S. DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S. DPF. The updating and renaming of the privacy principles under the Swiss-U.S. DPF will not change such an organization’s re-certification due date. Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles, but do not wish to participate in the Swiss-U.S. DPF, must complete, in accordance with ITA procedures, the withdrawal process referred to in section (f) of the Supplemental Principle on Self-Certification.
Enforcement of the EU-U.S. DPF
Organizations participating in the EU-U.S. DPF are required to implement an independent recourse mechanism that is available to investigate and resolve data subject complaints and disputes at no cost to data subjects. The recourse mechanism must also include procedures for verifying compliance with the EU-U.S. DPF Principles. The sanctions implemented (if necessary) through the recourse mechanism must be rigorous enough to ensure compliance by participating organizations. The sanctions should include, among other penalties, publicity for findings of non-compliance and deletion of data in appropriate circumstances, suspension and removal of a seal, compensation for data subjects for losses incurred because of non-compliance, and various injunctive awards. If organizations participating in the EU-U.S. DPF fail to comply with the rulings of the independent recourse mechanism, the independent recourse mechanism is required to “. . . notify the governmental body with applicable jurisdiction or the courts, as appropriate, and the U.S. Department of Commerce.”
Numerous administration and enforcement bodies are working together to implement the EU-U.S. DPF. The DOC will administer the EU-U.S. DPF and will monitor certifying organizations’ compliance with the EU-U.S. DPF. Either the FTC or DOT will enforce compliance obligations under the EU-U.S. DPF, depending on the type of organization that is under review.
Key Compliance Obligations under the EU-U.S. DPF
Key compliance obligations under the EU-U.S. DPF, include, but are not limited to, the following:
- Subjecting All EEA Personal Data to the EU-U.S. DPF. Organizations must subject to the EU-U.S. DPF Principles all personal data they receive from the EEA in reliance on the EU-U.S. DPF.
- Conducting Required Administrative Functions. Organizations must fulfill the mandatory administrative functions required by the EU-U.S. DPF. And other administrative functions required to be completed by US organizations prior to self-certification to the EU-U.S. framework (e.g., providing contact information for requests and complaints; paying necessary fund contributions).
- Entering into Compliant Data Processing Agreements. Organizations must incorporate the requisite contractual terms referenced under the Accountability for Onward Transfer Principle when personal data is being transferred from the EEA to the U.S. for processing purposes under the EU-U.S. DPF.
- Abiding by EU-U.S. DPF Principles. Organizations must comply with the EU-U.S. DPF Principles including the notice; choice (i.e., the right for individuals to choose that their personal data not be disclosed to a third party or used for a different purpose than the purpose for which their personal data was originally collected); accountability for onward transfers; security; data integrity and purpose limitation; access (i.e., individuals’ rights of access, amendment, rectification, and deletion of personal data); and recourse, enforcement and liability principles. Compliance with such principles will require, among other actions, updating the organization’s privacy notice in accordance with the relevant EU-U.S. DPF Principles; meeting obligations to provide EU data subjects with access and other rights to which they are entitled under the EU-U.S. DPF; and implementing an independent recourse mechanism.
Overview of the Limitations and Safeguards on Access to Personal Data by U.S. Intelligence Agencies
A key element the EU-U.S. DPF adequacy decision is based on is the Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ and its accompanying regulations adopted by the Attorney General (“Executive Order”).
For Europeans whose personal data is transferred to the U.S., the Executive Order provides for protections and redress mechanisms, such as: (1) Binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security; (2) Enhanced oversight of activities by U.S. intelligence services to ensure compliance with limitations on surveillance activities; and (3) The establishment of an independent and impartial layered redress mechanism. This redress mechanism includes a process through which complaints regarding access to complainants’ personal data by U.S. Intelligence Community bodies can be made to a Civil Liberties Protection Officer (“CLPO”), whose decisions on a matter are enforceable unless appealed by either the complainant or the Intelligence Community body to the new Data Protection Review Court (“DPRC”). The DPRC has the authority to resolve disputed rulings by the CLPO.
Broader Impact of the Limitations and Safeguards on Access to Personal Data by U.S. Intelligence Agencies on Other Lawful Transfer Mechanisms
The Commission has stated that “[a]ll the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.” This statement from the European Commission likely contemplates that the adequacy decision and the resulting safeguards tied to it will make the use of SCCs and other lawful transfer mechanisms stronger in the eyes of the European Commission and EEA Data Protection Authorities.
In the post-Privacy Shield world, organizations have had no option but to pivot to reliance on other lawful transfer mechanisms to legally transfer personal data from the EU to the U.S. For many organizations, SCCs have been the preferred transfer mechanism for the past couple of years, but recent penalties imposed for cross-border transfers, such as the massive fine imposed on Meta Ireland despite its use of SCCs for personal data transfers, demonstrate that SCCs are not a bulletproof solution. Additionally, BCRs and other mechanisms (e.g., approved codes of conduct) are expensive and often require a time consuming, cumbersome implementation process, and are generally only implemented by very large organizations (e.g., eBay, Intel, HP). Therefore, although other transfer mechanisms may be stronger now in the eyes of the European Commission, there is a strong argument for organizations to pivot to self-certification to the EU-U.S. DPF.
Should Your Organization Self-Certify?
It is uncertain whether the EU-U.S. DPF will remain in force because—like Privacy Shield and Safe Harbor before it—the EU-U.S. DPF will be challenged on grounds that it does not adequately protect EEA personal data. NOYB, a European digital rights advocacy nonprofit based in Vienna, Austria, is expected to raise such a challenge. NOYB is broadly known for raising the challenge that ultimately invalidated the EU-U.S. DPF’s predecessor, Privacy Shield. NOYB’s founder, Max Schrems, vowed to challenge the EU-U.S. DPF virtually as soon as the adequacy decision was handed down. Despite the impending challenge from NOYB, however, both the DOC and the European Commission have expressed their confidence in the EU-U.S. DPF being upheld. As the European Commission has noted, the framework was drafted expressly to address the problems and fill the gaps in the Privacy Shield laid out in the Schrems II decision.
Participation in the EU-U.S. DPF is likely be viewed as a good option for most organizations receiving personal data from the EEA in the U.S. because (1) self-certification to the EU-U.S. DPF will permit the transfer of personal data from the EEA to such organizations without the need for additional safeguards, (2) it is likely that some customers/clients will want/prefer such organizations to participate in the EU-U.S. DPF, (3) such organizations will not be required to help prepare Transfer Impact Assessments (“TIAs”) under the GDPR to support such transatlantic personal data transfers (although if a DPF-certified organization will be transferring EU personal data to organizations or suppliers in other third countries for which an adequacy decision in not in place, a TIA should be completed to support such transfer), and (4) the costs of self-certification would generally be lower than the cost of maintaining SCCs with multiple third parties, especially for organizations with numerous contracts in place. Our view is that organizations that are able to comply with the EU-U.S. DPF principles should strongly consider participating in the EU-U.S. DPF. Organizations considering certification should conduct a privacy compliance assessment and remediate any gaps in EU-U.S. DPF compliance (and in GDPR compliance) before self-certifying, even if they self-certified under past Privacy Shield certification.
Organizations that have maintained their Privacy Shield certification will be able to certify automatically to the EU-U.S. DPF, after making the relatively limited updates that are required. The deadline for such organizations to self-certify to the EU-U.S. DPF is October 10, 2023. Other organizations may self-certify as soon as they have confirmed their ability to comply and have taken the necessary steps to self-certify. It is expected that the FTC and DOT will be strictly enforcing the EU-U.S. DPF, so it will be important for certifying organizations to confirm they are and remain EU-U.S. DPF compliant.
If Your Organization Self-Certifies, Does Your Organization Need Other Transfer Mechanisms in Place?
The EU-U.S. DPF will serve as an efficient and cost-effective mechanism for many organizations conducting transatlantic personal data transfers to conduct such transfers without the need to implement additional safeguards. This is especially important for small and medium-sized businesses, as implementing SCCs and BCRs can be extremely expensive and time-consuming.
However, some organizations may consider using transfer mechanisms under Article 46 of the GDPR in addition to relying on the EU-U.S. DPF adequacy decision. During the International Association of Privacy Professionals’ “The EU-U.S. Data Privacy Framework in Practice” LinkedIn live web conference, the DOC’s Alex Greenstein mentioned that companies may want to consider SCCs or other transfer mechanisms as a “belt and suspenders” solution for compliance to be used in conjunction with participation in the EU-U.S. DPF.
If organizations choose to continue to rely on SCCs or certain other transfer mechanisms, it is worth noting that the changes brought about by the new safeguards and redress mechanisms included in President Biden’s executive order will require them to update their TIAs (e.g., editing TIAs to properly account for new safeguards related to government access). Although implementing compliant SCCs or other lawful transfer mechanisms, along with certifying to the EU-U.S. DPF, as a “belt and suspenders” approach, may provide some benefits (e.g., allowing entities choosing to withdraw from the EU-U.S. DPF to retain data received in reliance on the EU-U.S. DPF and SCCs without having to affirm they will continue to apply the EU-U.S. Principles to such data) we generally recommend that organizations self-certify and only utilize the additional safeguards if absolutely necessary for transfers that may involve organizations and suppliers in third countries without an adequacy decision.
Moving forward, we recommend keeping apprised of further developments in this area. Potential developments to watch out for include data transfer frameworks tailored to cover entities excluded by the scope of the EU-U.S. DPF (e.g., healthcare and financial services entities), as well as both narrower and broader government frameworks (e.g., state-specific adequacy decisions; a U.S. adequacy decision if a comprehensive federal privacy law is ever passed). Specific compliance obligations for cross-border data transfers are a moving target, and it will be important for organizations engaging in cross-border personal data transfers to stay on top of the latest legal developments in Europe and beyond.
Randy Willnauer contributed to this article.