All Good Things Come In Threes: The New EU-US Data Privacy Framework - Privacy Protection

On 10 July 2023, the EU Commission decided that the EU-US Data Privacy Framework ("DPF") ensures an adequate level of protection for transfers of personal data from the EU and the EEA to the US.

This will make it easier for companies to transfer data to the US, for example when using the services of US cloud providers, as complex risk assessments and supplementary measures will no longer be necessary.

Background

In its Schrems II decision of 16 July 2020, the CJEU declared transfers of personal data to the US on the basis of the EU-US Privacy Shield to be illegal (the same had previously happened to the Safe Harbor Agreement, cf. the CJEU's Schrems I decision of 6 October 2015).

As a result, data transfers to third countries outside the EU became significantly more difficult (here you can find our newsletter on this from 16 July 2020). While the EU-US Privacy Shield was overturned, especially the EU Standard Contractual Clauses continued to apply, but any data transfers had to be checked in advance for legal and practical risks in the respective third country within so-called Transfer Impact Assessments in accordance with the guidelines of the European Data Protection Board (EDPB) and supplementary protective measures had to be taken (here you can find our newsletter on this from 12 July 2021).

On 10 July 2023, the EU-US Data Privacy Framework "DPF", the successor to the EU-US Privacy Shield, entered into force through the adequacy decision of the EU Commission and was published with explanatory notes and FAQs. Prior to this, US President Biden had issued the "US Executive Order on 'Enhancing Safeguards for United States Signals Intelligence Activities'" on 7 October 2022, which decisively improved the underlying US legal framework: In case of data access for law enforcement and national security purposes, such access is limited to what is necessary and proportionate to protect national security. Additionally, EU citizens will have access to an independent and impartial redress mechanism in connection with the collection and use of their personal data by US intelligence agencies.

Content and impact of the EU-US Privacy Framework

The DPF, like its predecessors, is structured as a self-certification process. US companies that have gone through this certification process are authorized to import personal data from the EU and EEA into the US without having to rely on EU Standard Contractual Clauses or other data transfer mechanisms.

Procedure for initial certification

The certification of US companies under the DPF is made at the US Department of Commerce, The authority publishes a list that data exporters can use to check whether a certain US importer is certified.

New from old: Certifications under the Privacy Shield

US companies that have already obtained certification under the Privacy Shield can transfer such certification. To do so, however, they must update their privacy policy within three months and refer to the "EU-US Data Privacy Framework Principles" or otherwise go through a withdrawal procedure. For data exporters, this means that they must currently pay particular attention to the current status of a certification.

Effect of the DPF

Because the EU Commission considers the US to be a safe recipient country under these conditions, Transfer Impact Assessments and supplementary protective measures required by the CJEU are no longer necessary. Instead, European companies are obliged to check the full certification of the US data importer before transferring any personal datan.

Implications for the use of EU Standard Contractual Clauses or BCRs.

According to the EU Commission, the adequacy decision significantly simplifies data transfers to the US not only on the basis of the DPF: "The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules."

In other words, as of now, data transfers to the US based on the EU Standard Contractual Clauses or BCRs are also possible without Transfer Impact Assessments and supplementary protective measures, see also No. 7 of the EU Commission's FAQ.

Our recommendations

Data transfers to US companies with certification under the DPF are now possible without further specific requirements, to the extent and as long as appropriate certification is in place.

Data transfers to US companies based on the EU Standard Contractual Clauses or BCRs also no longer require additional measures.

Data transfers to other unsafe third countries are still subject to the requirements of the CJEU, in particular a Transfer Impact Assessment has to be conducted. Furthermore, additional protective measures may have to be implemented.

Most likely, also the DPF will be called into question and reviewed by the CJEU. We recommend companies to keep an eye on the further developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.