On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.

Background

The Commission’s adoption of the adequacy decision follows three key recent developments:

  1. the endorsement of the draft decision by a committee of EU Member State representatives;
  2. the designation by the U.S. Department of Justice of the European Union and Iceland, Liechtenstein, and Norway (which together with the EU form the EEA) as “qualifying states,” for the purposes of President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). This designation enables EU data subjects to submit complaints concerning alleged violations of U.S. law governing signals intelligence activities to the redress mechanism set forth in the Executive Order and implementing regulations (see our previous blog post here); and
  3. updates to the U.S. Intelligence Community’s policies and procedures to implement the safeguards established under EO 14086, announced by the U.S. Office of Director of National Intelligence on July 3, 2023.

The final adequacy decision, which largely corresponds to the Commission’s draft decision (see our prior blog post here), concludes “the United States … ensures a level of protection for personal data transferred from the Union to certified organisations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by [the GDPR]” (para. 201).

Key Findings of the Decision

In reaching the final decision, the Commission confirms a few key points:

  • Legal framework with conditions. The decision states that “when U.S. law enforcement and national security authorities access personal data falling within scope of this Decision, such access is governed by a legal framework that lays down the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the public interest objective pursued” (para. 200).
  • Interference is limited to what is strictly necessary.  The Commission considers that the U.S. legal framework, including the limitations, safeguards and redress mechanism established by EO 14086, ensures that “any interference … by U.S. public authorities with the fundamental rights of the individuals whose personal data are transferred from the Union to the United States under the [DPF], will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists” (para. 203).
  • Limitations and safeguards imposed on access to personal data by U.S. authorities.  The Commission confirmed “[t]he limitations and safeguards introduced by EO 14086 supplement those provided by Section 702 FISA and EO 12333. The requirements described [in EO 14086] must be applied by U.S. intelligence agencies when engaging in signals intelligence activities pursuant to Section 702 FISA and EO 12333” (para. 125).
  • Establishment of two-tier redress mechanism for EU data subjects under EO 14086. The Commission provides greater clarity on the process by which EU data subjects can submit complaints through the two-tier redress mechanism established under EO 14086 “concerning an alleged violation of U.S. law governing signals intelligence activities (e.g., EO 14086, Section 702 FISA, EO 12333)” (para. 176). The decision specifies that an EU data subject must submit a complaint to a Data Protection Authority (“DPA”) in an EU Member State. After the DPA has verified the requirements for filing a complaint have been met (e.g., provided a basis for alleging that a violation of U.S. law has occurred – actual knowledge is not required), the DPA must channel the complaint, via the secretariat of the EDPB, to the redress mechanism in the U.S., which comprises an initial investigation of the complaint by the Civil Liberties Protection Officer of the Director of National Intelligence (“ODNI CLPO”), and, where sought by the data subject, a review of the ODNI CLPO’s decision before the Data Protection Review Court  (paras. 177 – 179, 183-184).

The Commission will periodically review the adequacy decision, with the first review scheduled for 2024, to verify whether the safeguards and redress mechanisms provided in EO 14086 and the Data Protection Review Court “have been fully implemented and are functioning effectively in practice” (para. 211).

What Do Organisations Need To Do To Self-Certify to the DPF?

The DPF establishes a set of principles and supplemental principles (collectively, the “Principles”), which are binding on organisations participating in the DPF. The Principles  remain largely unchanged compared to the principles under the Privacy Shield, and impose obligations, including:

(1) transparency, by requiring participants to inform individuals of their certification to the DPF, including the specific U.S. entities adhering to the Principles  (“notice”);

(2) requiring participants to provide data subjects with the possibility to opt-out of disclosures of personal data to third parties, and of materially different uses of personal data to the purpose(s) for which the data was originally collected or subsequently authorized (“choice”);

(3) stricter rules with regards to onward transfers, including the requirement to enter into a data processing contract and ensure such data is processed for limited and specified purposes, consistent with the Principles; and

(4) the right to access, correct, amend or delete the personal data held by the organisation.

The supplemental principles set out additional requirements on, among others, the transfer of sensitive and HR data, the process of self-certification to the DPF, and mandatory contracts for onward transfers.

Participation in the DPF is voluntary. However, once a company decides to certify to the DPF, compliance with the Principles are compulsory and enforceable by data subjects via, among others, a binding arbitration option.

How Do Organizations Self-Certify to the DPF?

The DPF relies on a self-certification mechanism, administered by the Department of Commerce, which has administered the previous frameworks. Companies must submit information through a dedicated website, including, among others:

  • the name of the self-certifying or re-certifying U.S. organisation, and the name(s) of any U.S. entities or subsidiaries that will also adhere to the Principles;
  • a description of the organisation’s activities (e.g., the purpose(s) of processing) with respect to the transferred personal data;
  • a description of the organisation’s privacy policy/policies for the transferred personal data, including the relevant web address where the privacy policy is publicly available; and
  • the relevant independent recourse mechanism available to investigate unresolved Principles-related complaints. 

To participate in the DPF, companies will be required to pay a fee, and re-certify annually. The Department of Commerce will maintain a publicly available list of participants.

The supplemental principles specify that the “DPF benefits are assured from the date on which the Department [of Commerce] places the organization on the Data Privacy Framework List” (sec. 6(a)).  The Department of Commerce will only place an organisation on the DPF List after having determined that the organisation’s initial self-certification submission is complete, and will remove the organisation from the list if it voluntarily withdraws, fails to complete its annual re-certification, or if it “persistently fails to comply with the Principles” (sec. 6(a)).

Importantly, the Department of Commerce has confirmed that organisations that have maintained their self-certification to the EU-U.S. Privacy Shield (“Privacy Shield”) do not need to re-certify to the DPF in order to rely on it, provided they comply with the DPF Principles, including updating their privacy policies, by 10 October, 2023.

The DPF website – which organisations can use to make initial self-certification submissions (where they were not previously self-certified to the Privacy Shield) or recertify under the DPF Principles – launched on 17 July, 2023.

Impact on EU-US Data Transfers & Other Data Transfer Tools

Importantly, transfers of personal data can take place freely from the EU to organisations who are certified to the DPF (although where data processors are enrolled, an Article 28 processing contact also needs to be in place). Companies relying on Standard Contractual Clauses or Binding Corporate Rules will also benefit from the Commission’s adequacy decision, as companies may refer to the decision in their own U.S. transfer impact assessments.

Other Transfers

UK-U.S. data transfers

From 17 July, 2023, organisations in the U.S. that wish to self-certify their compliance to the UK Extension to the DPF (“UK Extension”) may do so. However, they cannot begin relying on the UK Extension to receive personal data from the UK (and Gibraltar) until the UK’s adequacy regulation (a “data bridge”) implementing the UK Extension enters into force. (An agreement in principle was reached on 8 June, 2023). Organisations that wish to participate in the UK Extension must also participate in the DPF.

Swiss-U.S. data transfers

From 17 July 2023, organisations in the U.S. that wish to self-certify to the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) may do so. However, organisations cannot begin relying on the Swiss-U.S. DPF to receive personal data from Switzerland until the Swiss Federal Administration’s anticipated adequacy decision on the Swiss-U.S. DPF (which we expect to see published in the next few months) enters into force.

***

Covington regularly advises companies on all aspects of their international transfers. Our team is happy to assist with any inquiries relating to the new EU-U.S. Data Privacy Framework and other international transfer mechanisms.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Jasmine Agyekum Jasmine Agyekum

Jasmine Agyekum advises clients on a broad range of technology, AI, data protection, privacy and cybersecurity issues. She focuses her practice on providing practical and strategic advice on compliance with the EU and UK General Data Protection Regulations (GDPR), EU e-Privacy laws and…

Jasmine Agyekum advises clients on a broad range of technology, AI, data protection, privacy and cybersecurity issues. She focuses her practice on providing practical and strategic advice on compliance with the EU and UK General Data Protection Regulations (GDPR), EU e-Privacy laws and the UK Data Protection Act. Jasmine also advises on a variety of policy proposals and developments in Europe, including on the EU’s proposed Data Governance Act and AI Regulation.

Jasmine’s experience includes:

  • Advising a leading technology company on GDPR compliance in connection with the launch of an ad supported video on demand and live streaming service.
  • Advising global technology companies on the territorial application of the GDPR and EU Member State data localization laws.
  • Representing clients in numerous industries, including, life sciences, consumer products, digital health and technology and gaming, in connection with privacy due diligence in cross-border corporate mergers & acquisitions.
  • Advising clients on responding to data breaches and security incidents, including rapid incident response planning and notifications to data protection authorities and data subjects.

Jasmine’s pro bono work includes providing data protection advice to a mental health charity in connection with their launch of a directory of mental health and wellbeing support to children and working with a social mobility non-profit organization focused on widening access to opportunities in the law to individuals from various socio-economic backgrounds.

Photo of Diana Lee Diana Lee

Diana Lee is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory and enforcement matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy…

Diana Lee is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Diana’s practice focuses on regulatory and enforcement matters relating to electronic surveillance, law enforcement access to digital evidence, and data privacy and cybersecurity. She also routinely advises clients on content moderation and consumer protection issues. Before rejoining the firm, she clerked for Judge Victor A. Bolden, United States District Judge for the District of Connecticut.

Diana is a member of the Bars of New York and the District of Columbia.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.