On July 10, 2023, the European Commission ("Commission") adopted an adequacy decision for the EU-US Data Privacy Framework ("DPF"). In light of this decision, personal data can flow from the EU to US companies that certify that they comply with the DPF without additional safeguards or other transfer mechanisms, such as the Standard Contractual Clauses ("SCCs"). While this decision affects only EU to US transfers, similar decisions are expected for UK to US transfers and Switzerland to US transfers. This is a landmark decision that presents the simpler solution to cross-border transfers that many multinational US companies have been waiting for over the past three years.
What is an Adequacy Decision, and Why does it Matter?
The EU General Data Protection Regulation ("GDPR"), the EU's data privacy regime, is a comprehensive data privacy law aimed at companies processing personal data of those in the European Economic Area ("EEA"), regardless of the location of such companies. The extraterritorial effect of the GDPR on data transfers is particularly important. Among other things, it mandates that personal data subject to the GDPR only be transferred outside of the EEA if the destination has adequate safeguards in place. Importantly, the GDPR gives the Commission the power to assess whether a destination outside of the EEA has such adequate safeguards, whether that destination is a country, territory, organization or a specific sector within a country, territory, or organization. If the Commission determines that the transferred data is subject to sufficient protection (comparable to the standard of data protection adopted in the GDPR), it will issue an adequacy decision. The effect of such decision allows personal data to flow from the EEA to that destination without further safeguards and without relying on other transfer mechanisms, such as the SCCs.
Prior to 2020, transfers between the EU and US could rely on the EU-US Privacy Shield Framework ("Privacy Shield"), which the Commission deemed adequate in July 2016. However, in July 2020, the Court of Justice of the European Union invalidated the adequacy finding with respect to the Privacy Shield, finding that it did not provide sufficient data protection with respect to the GDPR (for details, see our previous client alert) (the "Schrems II case"). In effect, the Schrems II case required companies intending to transfer personal data to the US to utilize alternative transfer mechanisms, such as the SCCs coupled with additional safeguards to supplement their effectiveness.
What is the EU-US Data Privacy Framework?
The DPF outlines a set of privacy principles and safeguards for handling personal data of those in the EEA. In addition to including the same seven principles on which the Privacy Shield focused, it also promulgates additional safeguards designed to address issues called out in the Schrems II case. The DPF principles include Notice; Choice; Accountably for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. Companies that certify to the DPF must publicly commit to comply with these principles and implement privacy policies in line with them.
Many of the DPF's safeguards are substantially similar to those contained in other privacy laws, such as US State Privacy Laws. Specifically, the DPF requires deletion when a company no longer uses the personal data for the purpose for which it was collected, and the personal data collected should be limited to what is "necessary and proportionate." Further, US companies must ensure an adequate level of protection when they share personal data with third parties. The DPF also creates the Data Protection Review Court, a mechanism to independently review and redress any complaints, a concept similar to the California Privacy Protection Agency implemented by the California Privacy Rights Act.
What Does this Mean for Companies?
Companies who maintained their certification under the Privacy Shield program may have a simplified method of certification for the DPF but will need to update their privacy policies by October 10, 2023. Further details about the certification process are expected to be released on the Department's website.
US companies are not the only ones implicated. EEA companies subject to the GDPR will be responsible for ensuring that the companies to whom they transfer personal data possess adequate safeguards, whether by means of a DPF certification or another transfer mechanism such as the SCCs. To aid in that effort, on its website, the Department will maintain a list of US companies who are certified under the DPF.
Importantly, if they choose, companies may still rely on the SCCs. However, companies who chose to rely on the SCCs instead of certifying under the DPF will still need to take additional steps, such as conducting transfer impact assessments.
The DPF will take effect immediately for EU to US transfers. The UK extension of the DPF will take effect on July 17, 2023, but companies may not rely on this as an adequate safeguard for transfers from the UK to US until the UK's adequacy regulations implementing the UK extension take effect. Similarly, the Swiss-US DPF will take effect on July 17, 2023, but companies may not rely on it until the Swiss Federal Administration recognizes the Swiss-US DPF.
The Commission and the Department will continue to review the DPF, and it may be subject to future scrutiny. However, the DPF is a significant development for economic relations between the EU and the US and provides an opportunity for US companies to boost their economic connections to the EU. Given that the DPF takes effect immediately, companies should act swiftly to consider if self-certifying is the right step.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.