What’s this all about?
The EU recently adopted a so-called “Adequacy Decision” for the US (“Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework”) which has set up a system for making personal data transfers from the EU to the US, known as the “DPF”. This article looks at key aspects of this development.
What’s the background & what does this mean in a nutshell?
Following the European Court of Justice’s ruling three years ago that the EU-US Privacy Shield data transfer system was invalid (essentially around concerns about access by US intelligence services to data transferred from the EU and checks and balances relating to that), the EU and the US have been working to find a replacement system. The EU’s recent Adequacy Decision has concluded that the US ensures an adequate level of protection. The upshot is that under the DPF personal data can be freely and safely transferred from the EU, and the DPF scheme is now up and running (for the EU at least – see What about the UK? And What about Switzerland?).
Consequently, reliance on the DPF means that other data transfer mechanisms, such as the so-called Standard Contractual Clauses (“SCCs”), do not need to be used for EU-US transfers (and in relation to the SCCs a so-called Transfer Impact Assessment doesn’t need to be undertaken either) (see however Can personal data simply be transferred without doing anything else?). Note that the requirement for a Data Processing Agreement is still required for when a data controller transfers personal data to a data processor (i.e. as regards processing issues such as having measures in place to keep personal data secure).
What has the US had to do?
Under the DPF the US has had to put in place a number of new safeguards, including in particular to:
- Ensure that US signals intelligence activities are limited to those which are necessary and proportionate concerning defined US national security objectives;
- Enhance the thorough oversight of US signals intelligence activities to ensure compliance with limitations on surveillance activities; and,
- Put in place a two-level independent redress mechanism with binding authority to apply remedial measures, which is made up of the following: (a) first level – individuals based in the European Economic Area (i.e. the EU plus Iceland, Liechtenstein and Norway, “the EEA”), may lodge a complaint with the “Civil Liberties Protection Officer of the US intelligence community”; and, (b) second level – individuals based in the EEA have the right to appeal that decision to the newly created “US Data Protection Review Court”; this court has investigative powers concerning complaints brought by such individuals, including the power to obtain relevant information from US intelligence agencies, and will be able to make binding remedial decisions such as ordering the deletion of personal data.
Some have expressed concerns that the US Data Protection Review Court isn’t really a court as such.
How will it work on the US side?
The DPF is administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements (see Can personal data simply be transferred without doing anything else?). Compliance with the DPF will be enforced by the US Federal Trade Commission (or, where applicable, the US Department of Transportation).
Can personal data simply be transferred without doing anything else?
No – a number of certain formalities must first be met. US organizations who want to be able to take advantage of the DPF will need to undertake privacy compliance self-certification in relation to a number of key privacy rules (which are very similar to EU GDPR requirements).
To participate in the DPF, a US-based organization is required to self-certify to the US Department of Commerce’s International Trade Administration (“ITA”) via the DPF scheme’s website (https://www.dataprivacyframework.gov/s/) and publicly commit to comply with the DPF “Principles”. According to the website: “[w]hile the decision by an eligible US-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under US law.”
The “Key Requirements for DPF Program Participating Organizations” consist of the following:
- Informing individuals about data processing;
- Providing free and accessible dispute resolution;
- Cooperating with the US Department of Commerce;
- Maintaining data integrity and purpose limitation;
- Ensuring accountability for data transferred to third parties;
- Transparency related to enforcement actions; and,
- Ensuring commitments are kept as long as data is held.
“How to Join the Data Privacy Framework (DPF) Program” consists of the following:
- Confirming an organization’s eligibility to participate in the DPF scheme;
- Ensuring that an organization has in place an appropriate independent recourse mechanism for each type of personal data covered by its self-certification;
- Making the required contribution for the so-called “Annex I Binding Arbitration Mechanism”;
- Ensure that an organization’s verification mechanism is in place;
- Designating a contact within the organization regarding DPF compliance;
- Reviewing the information required to self-certify; and,
- Submitting an organization’s self-certification to the US Department of Commerce’s International Trade Administration.
In practical terms, organizations must click on the “Self-Certify” link on the relevant part of the Department of Commerce’s website to create a profile and submit the organization’s self-certification.
The Department of Commerce has also stated that it will work with organizations that have maintained their Privacy Shield certification to facilitate their transition to the updated privacy principles under the DPF.
Organizations participating in the DPF scheme are also required to annually re-certify to the US Department of Commerce’s International Trade Administration, which consists of a number of requirements.
Self-certifying organizations will be placed on the so-called “Data Privacy Framework List”. Organizations will be removed from this list when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the applicable procedures, or are found to persistently fail to comply. Removal from the list also entails certain obligations on an organization such as deletion or return of personal data. An authoritative record of US organizations that have been removed from this list will also be maintained and made available to the public, which will identify the reason for why an organization was removed.
The so-called DPF “Principles” (Annex I of the DPF) are very much the core of the scheme and include provisions concerning: giving notice; various opt-out choices; onward transfer accountability requirements; keeping data secure; data integrity and purpose limitation requirements; access; and, recourse (complaint/dispute mechanisms), enforcement and liability. There are also extensive and wide-ranging so-called “Supplemental Principles” to be taken on board, such as with regard to transfers of human resources data in the context of the employment relationship, or follow-up procedures for verifying that, for example, the attestations and assertions made by the organizations about their DPF privacy practices are true and have been implemented in accordance with the “Principles”.
How will it work on the US side?
The DPF will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements (see Can personal data simply be transferred without doing anything else?). Compliance with the DPF will be enforced by the US Federal Trade Commission.
Joining up to the DPF means agreeing to being subject to the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation.
The Department of Commerce will also monitor for false claims of DPF certification – misrepresentation may be subject to enforcement action by the Federal Trade Commission, the Department of Transportation (or other relevant US enforcement authorities).
An organization that ceases to exist due to a change in corporate status, for example because of a merger, takeover, bankruptcy etc. must notify the Department of Commerce of this in advance (along with other various requirements in connection with this).
Will the DPF be challenged?
Very likely. The Austrian privacy activist Max Schrems successfully challenged the DPF’s predecessors Safe Harbor and Privacy Shield before the European Court of Justice. Schrems has already said that he plans to bring a challenge to the DPF; this may come before the European Court at the beginning of 2024.
What about the UK?
According to the Department of Commerce: “Effective as of July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-US DPF may do so; however, personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-US DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-US DPF enter into force. The data bridge will enable the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law.”
Note that organizations that wish to participate in the UK Extension to the EU-US DPF must participate in the EU-US DPF.
It will however take a bit of time before the DPF scheme is operational for the UK because the UK needs to carry out a formal legal procedure before the UK’s own “adequacy regulations” implementing the so-called “data bridge” for the UK extension to the DPF enters into force.
What about Switzerland?
According to the Department of Commerce: “The effective date of the Swiss-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 17, 2023; however, personal data cannot be received from Switzerland in reliance on the Swiss-US DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-US DPF. The recognition of adequacy will enable the transfer of Swiss personal data to participating organizations consistent with Swiss law.”
Note that organizations that only wish to self-certify their compliance pursuant to the EU-US DPF and/or the Swiss-U.S. DPF may do so.
On average a European Court case can take around two years to be resolved, so, at the very least, organizations who sign up to the DPF should be able to rely on the DPF for that length of time from when a legal challenge comes before the European Court.
However, although it is possible that the DPF might only be a short-lived solution, organizations should still give serious consider to signing up to it.
International data transfers is generally-speaking a complex and challenging area. Whether uncertainty about the life of the DPF can be dispelled or not, organizations will still need to carefully think through signing up to the DPF, which will also require a fair amount of an organization’s time and resources to put together. The DPF will likely change an organization’s legal obligations and the state of data protection maturity in some organizations may not in reality be good enough to make it work.
If I’m in the EU or the UK or Switzerland what should I be doing?
If your organization transfers personal data from the EU or the UK or Switzerland to the US it should consider contacting those US organizations to whom personal data is being transferred to in order to determine the possible participation of those US organizations in the DPF. If those US companies do sign up to the DPF then consideration will also need to be given as to what to do about existing arrangements under which data is transferred such as Standard Contractual Clauses (and their related Transfer Impact Assessments).
Please understand that what is being provided in this news item is only information and not legal advice. Organizations seeking advice about the US aspects of the DPF should contact US counsel and those seeking advice concerning an EU country, the UK or Switzerland should contact counsel in those respective jurisdictions.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The EU Adequacy Decision for the EU-US Data Protection Framework can be found here: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.
The Department of Commerce “Data Privacy Framework Program” can be found here: https://www.dataprivacyframework.gov/s/.
The Department of Commerce “Key Requirements for DPF Program Participating Organizations” can be found here: https://www.dataprivacyframework.gov/s/key-requirements.
The Department of Commerce “How to Join the Data Privacy Framework (DPF) Program” can be found here: https://www.dataprivacyframework.gov/s/article/How-to-Join-the-Data-Privacy-Framework-DPF-Program-part-1-dpf.
The Department of Commerce “How to Re-certify under the Data Privacy Framework (DPF) Program” can be found here: https://www.dataprivacyframework.gov/s/article/How-to-Re-certify-under-the-Data-Privacy-Framework-DPF-Program-dpf.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 347 2365