On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework ("DPF") finding that data transfers from Europe to the US pursuant to the DPF would benefit from an adequate level of data protection.
The adoption of the adequacy decision provides some much-needed certainty around EU-US international data transfers, particularly in light of the recent decision of the Irish Data Protection Commissioner's enquiry finding that international data transfers from Meta Ireland to the US pursuant to the European Commission's Standard Contractual Clauses ("SCCs") had infringed the GDPR (refer to our blog post here).
However, given the previous criticism of the draft DPF by prominent authorities such as the EDPB; the legal challenge to the DPF expected from Max Schrems and his non-profit organisation noyb; the chequered history of US adequacy decisions (the "Safe Harbor" and the "Privacy Shield"); and the fact that the decision is going to be subject to periodic review by the European Commission, there remains a significant risk that this latest US adequacy decision could be challenged, amended and/or withdrawn in due course.
Now the dust has settled a little on the DPF, in this blog post we take a closer, more detailed look at the practical reactions to the adequacy decision and what this means for data exporters in Europe, data importers in the US, and also companies in the UK:
Background: A chequered history
The story of international data transfers from the EU to US has had a chequered history.
Back in 2000, the European Commission determined that the so-called US Safe Harbor mechanism provided adequate protection for personal data transferred from the EU to Safe Harbor member companies in the USA. Whilst not a full adequacy decision for the US, the Safe Harbor framework was a self-regulatory system, with some statutory underpinning, in which member companies in the US could sign up to Privacy Principles and a complaints system. Oversight of the system was provided by the Federal Trade Commission amongst others. However, on 6 October 2015 the Court of Justice of the European Union ("CJEU") issued its judgment in Schrems v Data Protection Commissioner (Ireland) ("Schrems"). This judgment invalidated the Safe Harbor adequacy decision with immediate effect so that European and UK data exporters were no longer able to rely on the mechanism for the transfer of data to the US. The rationale behind the judgment was because of the ability of the US intelligence services to gain access to personal data to an extent that goes beyond what is strictly necessary and proportionate for the protection of national security. This was coupled with a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.
Following on from the Schrems decision, the European Commission approved the EU-US Privacy Shield in 2016, publishing another partial adequacy decision for the US. The Privacy Shield, like its predecessor, was a voluntary framework, allowing companies to commit to upholding certain standards of personal data protection. The Privacy Shield also established an ombudsperson to whom complaints about mistreatment of personal data could be directed. However, the Privacy Shield was heavily criticised and, in July 2020, the CJEU once again found that the adequacy decision was invalid in Data Protection Commissioner v Facebook Ireland (also known as Schrems II) on the basis that: (i) the data processing by the US signals intelligence gathering activities was neither necessary nor proportionate; and (ii) the ombudsperson was not sufficiently independent and objective for individuals to seek redress in relation to the improper use of their personal data from the US government. See our blog post here for more details.
Following the Schrems II decision, the EU and US reached an 'in-principle' agreement for yet another trans-Atlantic data privacy framework and announced the DPF in March 2022 (see more details here). As a result, President Biden signed the Executive Order on 'Enhancing Safeguards for Untied States Signals Intelligence Activities' in October 2022 ("EO 14086") directing the steps that the US will take to implement the US commitments under the EU-US data Privacy DPF. EO 14086 provides: (i) further safeguards for US signals intelligence activities; and (ii) a double layered mechanism for individuals to obtain independent and binding review and redress (read more about the Executive Order on our blog here). The EU Commission adopted the draft adequacy decision in December 2022 and the final decision was adopted on 10 July this year.
What you need to know
The DPF aims to address the concerns raised by the CJEU in the Schrems II decision by: (i) introducing binding safeguards to limit access to personal data by US intelligence authorities to what is necessary and proportionate; (ii) providing EU data subjects with several new data subject access rights; and (iii) creating a new two-tier avenue for providing effective redress and remedy. As a result of the adequacy decision, data transfers to DPF-certified organisations within the US may take place without the need for further authorisations.
US companies can self-certify their participation in the DPF and this certification will need to be renewed on an annual basis. The DPF will be administered by the US Department of Commerce ("US DoC") and compliance by US companies with their obligations under the DPF will be enforced by the US Federal Trade Commission ("US FTC"). As such, only organisations that are subject to the investigatory and enforcement powers of the US DoC or the US FTC can make use of the DPF.
By certifying with the DPF, US companies commit to complying with a detailed set of new privacy obligations that are derived from those under the US Privacy Shield and are similar to core GDPR principles (such as purpose limitation, special protection for special categories of personal data, data accuracy, data minimisation, accountability or onwards international data transfers etc) (the "Principles"). Other pre-requisites include: (i) disclosing privacy policies in line with the Principles; and (ii) performing regular internal or external verifications of the self-certified organisation's compliance with the Principles. In the short time since its adoption, at the time of writing, the DPF list already includes 2488 active members and 3740 inactive members.
EO 14086 formed an essential element of the US legal framework on which the adequacy decision was based. As part of the Commission's review of whether US law met the essential equivalence test, the Commission concluded that, as a result of EO 14086, US intelligence activities were subject to the safeguards of legality, necessity and proportionality. US intelligence agencies are required to implement the requirements of EO 14086 into policies and practices by 7 October 2023.
The DPF also sets up a two-layer review and redress mechanism to address concerns raised around the lack of independent and impartial remedies. Under the first layer, the Civil Liberties Protection Officer ("CLPO") will conduct an initial investigation into any complaints received to assess if EO 14086's additional safeguards or applicable US law was violated. As a second layer, the Attorney General is authorised by EO 14086 to establish a Data Protection Review Board ("DPR Board") to provide an independent and binding review of the CLPO's decisions. Judges on the DPR Board will be appointed from outside the US government and have protections against removal.
The DPF requires participating organisations to register with redress mechanisms (e.g. by voluntarily committing to the jurisdiction of EU DPAs, including independent alternative dispute resolution or private-sector developed privacy programs). The DPF also provides data subjects with a number of possibilities to enforce their rights which include: (i) direct contacts at the participating organisation; (ii) an independent dispute resolution body designated by the participating organisation; (iii) national DPA in the EU; (iv) the US DoC; (v) the US FTC; and (vi) as a last resort, the individual may invoke binding arbitration under the DPF.
Analysis and practical implications
Does this solve the uncertainty of international data transfers?
In short, no. Uncertainty remains around international data transfers in the medium term.
Data transfers to the US are only a small subset of international data transfers so a stable and long-standing solution to international data transfers in general is still the need of the hour. The adequacy decision ensures that data transfers to the US (to participating organisations) can take place without reliance on any further data transfer mechanisms. However, the DPF mechanism isn't accessible to everyone and is only available for transfers to the US. As a result, many organisations are still heavily reliant on the SCCs and supplementary measures, where the recent decision on the legality of data transfers by Meta Ireland pursuant to the SCCs does raise some concerns. By way of reminder, Meta had transferred personal data from the EU to the US pursuant to the SCCs and supplementary measures. The EDPB and subsequently, the Irish DPC found that such data transfers were unlawful (due to the deficiencies in US law).
"Schrems III" imminent
In addition, in response to the DPF, Max Schrems has stated that "the "new" Trans-Atlantic Data Privacy Framework is a copy of [the] Privacy Shield (from 2016), which in turn was a copy of [the] "Safe Harbor" (from 2000). Given that this approach has failed twice before, there was no legal basis for the change of course – the only logic of having a deal was political ...there is little change in US law or approach taken by the EU."
Unsurprisingly Max Schrems has announced that his non-profit organisation, noyb, has prepared various procedural options to challenge the DPF before the CJEU. In terms of timing, "it is not unlikely that a challenge would reach the CJEU by the end of 2023 or beginning of 2024...A final decision...would be likely by 2024 or 2025."
Periodic adequacy review
The European Commission has also stated that it will "continuously monitor relevant developments in the United States" and regularly review the adequacy decision. In particular, the first review will take place within one year of its entry into force (10 July 2023) to verify whether all elements have been fully implemented. Following the review, the Commission (in consultation with the EDPB and Member States) will decide on the periodicity of subsequent reviews – which shall be no less frequent than at least once every four years. Of particular note, adequacy decisions can be adapted or even withdrawn in the case of developments affecting the level of protection in the third country.
A similar review was incorporated as a pre-condition to the EU – UK adequacy decision as well, to ensure an adequate level of protection continues to remain, particularly in light of the current reform of the UK data protection regime.
Are organisations going to now change the safeguard that they rely on for transatlantic transfers of personal data?
The short answer is probably no. Although possible, we think it is unlikely that we will see a mass shift away from the current reliance on mechanisms such as the SCCs. There are a number of reasons for this, including the fact that the position remains unchanged for personal data transfers to companies outside of the US.
In addition, as mentioned in the "What you need to know" section above, there are restrictions around the US organisations that can actually rely on the DPF. In order to be able to register for the DPF, an organisation has to be within the regulatory jurisdiction of the FTC or DoT.
This means that the DPF is not available to, for example, financial services institutions, insurance companies or not for profit organisations in the US. EU data exporters to those kinds of companies will therefore need to continue to rely on an alternative data transfer mechanism such as SCCs for personal data transferred from the EU to the US.
SCCs are used by a large number of organisations for cross-border data transfers. According to a survey conducted by Digital Europe in November 2020 (to better understand the use of SCCs in Europe following the "Schrems II" judgement), SCCs were "by far" the most widely used mechanism for data transfers. In fact, 85% of companies surveyed were using them, with 70% of SMEs surveyed using them.
Many organisations have also spent significant time and resource over the last few years repapering existing contracts and transfer mechanisms as a result of the Privacy Shield being invalidated in the Schrems II case. This effort to put SCCs in place, combined with the potential uncertainty currently associated with the DPF (see "Does this solve the uncertainty of international data transfers?" above), means that it seems unlikely that EU data exporters will be in a rush to repaper their contracts yet again in order to rely on a mechanism that is likely to also be challenged in the future.
There will, however, be some US data importers that remained certified to the US Privacy Shield post Schrems II and, for whom a move across to the DPF is likely to be more straight forward. Whilst the DPF may potentially provide another useful tool in the armoury of international data transfer mechanisms in those circumstances in particular, it would be prudent for those EU data exporters seeking to rely on the DPF to keep any existing SCCs in place as well (or provide contractually for the SCCs to apply as a possible fallback position if not already in place) – to ensure the continued free flow of personal data if the DPF were to also subsequently be challenged, amended or withdrawn.
Having been burnt before, we expect most organisations to take a "wait-and-see" approach but we may start to see greater reliance on the DPF once milestones such as the first European Commission review and the outcome of any potential "Schrems III" challenge have taken place.
Are supplementary measures still required when SCCs are used for EU – US data transfers?
Data transfer impact assessments ("TIAs") will no longer be required for EU – US data transfers relying on the DPF, as the adequacy decision effectively replaces the adequacy assessment conducted under the TIA process.
Whilst the adequacy decision does not remove the requirement to conduct a TIA for other transfer mechanisms (including use of the SCCs), it is anticipated that it will simplify the process given that the European Commission has effectively already now considered the US laws in place.
The European Commission's FAQ document published to accompany the adequacy decision expressly states that "All the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules."
This sentiment is re-iterated in the information note "Data transfers under the GDPR to the US after adoption of the adequacy decision" issued by the EDPB on 18 July 2023.
We therefore expect many organisations' TIAs to become more streamlined in light of the adequacy decision, with EU data exporters more likely to be able to conclude that no supplementary measures are required for personal data transfers from the EU to the US, particularly in light of EO 14086 (see "What you need to know" section above).
This suggestion that no additional supplementary measures are required has already been supported by some of the data protection authorities. For example, in Norway, an informal translation of the Datatilsynet's own FAQs on the DPF, refers to the fact "the European Commission has already considered US legislation and practices and [...] believes that these are not a problem and that additional measures are not necessary". It will be interesting to see the extent to which other data protection authorities opine on this point as well, particularly the ICO once any UK 'extension' is in place (see "What about the UK" below).
What about onward transfers from a US recipient of data under the DPF to a third party?
As with the Privacy Shield before it, Principle 3 (Accountability for Onward Transfers) under the DPF sets out special rules that apply to so-called 'onward transfers'. In particular, any onward transfer can only take place: (i) for limited and specified purposes; (ii) on the basis of a contract between the EU-US DPF organisation and the third party; and (iii) only if that contract requires the third party to provide the same level of protection as guaranteed by the Principles. This inevitably requires a flow down of the Principles under the DPF to the third party controller or processor.
Whilst a TIA is not required for the initial transfer of the personal data from the EU to the original US recipient that has self-certified to the DPF, it is worth considering whether such an assessment is required for the onward transfer to a non-adequate jurisdiction in conjunction with an appropriate data protection safeguard. Where a safeguard such as SCCs is in place, it is also worth considering the extent to which that safeguard sufficiently flows down the Principles or whether additional contractual protections are required to satisfy Principle 3. In the case of SCCs, for example, the assessment (and related risk profile) may differ depending on whether the relevant SCCs comprise the controller-to-controller, controller-to-processor or processor-to-processor modules. This could be particularly relevant, for example, to cloud providers who tend to have a range of sub-processors in their supply chain.
What about the UK?
Following UK Prime Minister Rishi Sunak's visit to the US to launch the 'Atlantic Declaration' which is intended to create an economic partnership between the two nations, the UK Secretary of State for Science, Innovation and Technology and their US counterpart announced that they had committed in principle to establish a "data bridge" between the UK and the US. This would act as a UK extension to the EU-US Data Privacy DPF and facilitate data flows between the two countries. By relieving some of the red-tape duties placed on American organisations, the Government hopes to speed up processes and reduce costs for UK entities engaging in business with US organisations.
In the meantime, the US Department of Commerce has confirmed that organisations certifying under the EU – US DPF can already self-certify under effectively a future potential UK extension. However, UK businesses should be aware that even where a US data importer has self-certified under both the DPF plus UK extension (self-certifying to the UK extension alone is not possible), they still cannot rely on this mechanism for transfers until the UK Government has issued its own adequacy decision in respect of the DPF and UK extension. The UK has a similar "data bridge" arrangement in place with other key partner countries, including the Republic of Korea.
Does this decision signify a move away from data localisation?
Perhaps at odds with promoting the free flow of data, in parallel we have also seen European initiatives supporting data sovereignty. For example, in an effort to prevent cloud providers from being subject, directly or indirectly, to the effective control of foreign companies, a draft Cybersecurity Certification Scheme for Cloud Services has considered introducing additional safeguards to put EU data outside the reach of jurisdictions with extra-territorial application laws that might conflict with the EU or national law of a Member State. The European Cloud Services scheme is a voluntary certification under the EU Cybersecurity Act that may become mandatory for the numerous entities deemed essential or important under the revised Networks and Information Securities Directive (NIS2). The Act provides three levels of assurance "basic", "substantial" and "high".
Data localisation measures are required for the level of assurance "high" and above, requiring cloud providers to include at least one option in their contracts to locate all data processing activities in the EU.
Traditionally the potential extra-territorial reach of US legislation has been cause for concern, particularly for tenants of cloud services hosted in the US. However, it will be interesting to see whether the changes envisaged under the Executive Order and the DPF will indeed provide any comfort and a move away from data localisation, particularly in the cloud provider market.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.