On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.
The Commission’s adoption of the adequacy decision follows three key recent developments:
- the endorsement of the draft decision by a committee of EU Member State representatives;
- the designation by the U.S. Department of Justice of the European Union and Iceland, Liechtenstein, and Norway (which together with the EU form the EEA) as “qualifying states,” for the purposes of President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). This designation enables EU data subjects to submit complaints concerning alleged violations of U.S. law governing signals intelligence activities to the redress mechanism set forth in the Executive Order and implementing regulations (see our previous blog post here); and
- updates to the U.S. Intelligence Community’s policies and procedures to implement the safeguards established under EO 14086, announced by the U.S. Office of Director of National Intelligence on July 3, 2023.
The final adequacy decision, which largely corresponds to the Commission’s draft decision (see our prior blog post here), concludes “the United States … ensures a level of protection for personal data transferred from the Union to certified organisations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by [the GDPR]” (para. 201).
Key Findings of the Decision
In reaching the final decision, the Commission confirms a few key points:
- Legal framework with conditions. The decision states that “when U.S. law enforcement and national security authorities access personal data falling within scope of this Decision, such access is governed by a legal framework that lays down the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the public interest objective pursued” (para. 200).
- Interference is limited to what is strictly necessary. The Commission considers that the U.S. legal framework, including the limitations, safeguards and redress mechanism established by EO 14086, ensures that “any interference … by U.S. public authorities with the fundamental rights of the individuals whose personal data are transferred from the Union to the United States under the [DPF], will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists” (para. 203).
- Limitations and safeguards imposed on access to personal data by U.S. authorities. The Commission confirmed “[t]he limitations and safeguards introduced by EO 14086 supplement those provided by Section 702 FISA and EO 12333. The requirements described [in EO 14086] must be applied by U.S. intelligence agencies when engaging in signals intelligence activities pursuant to Section 702 FISA and EO 12333” (para. 125).
- Establishment of two-tier redress mechanism for EU data subjects under EO 14086. The Commission provides greater clarity on the process by which EU data subjects can submit complaints through the two-tier redress mechanism established under EO 14086 “concerning an alleged violation of U.S. law governing signals intelligence activities (e.g., EO 14086, Section 702 FISA, EO 12333)” (para. 176). The decision specifies that an EU data subject must submit a complaint to a Data Protection Authority (“DPA”) in an EU Member State. After the DPA has verified the requirements for filing a complaint have been met (e.g., provided a basis for alleging that a violation of U.S. law has occurred – actual knowledge is not required), the DPA must channel the complaint, via the secretariat of the EDPB, to the redress mechanism in the U.S., which comprises an initial investigation of the complaint by the Civil Liberties Protection Officer of the Director of National Intelligence (“ODNI CLPO”), and, where sought by the data subject, a review of the ODNI CLPO’s decision before the Data Protection Review Court (paras. 177 – 179, 183-184).
The Commission will periodically review the adequacy decision, with the first review scheduled for 2024, to verify whether the safeguards and redress mechanisms provided in EO 14086 and the Data Protection Review Court “have been fully implemented and are functioning effectively in practice” (para. 211).
What Do Organisations Need To Do To Self-Certify to the DPF?
The DPF establishes a set of principles and supplemental principles (collectively, the “Principles”), which are binding on organisations participating in the DPF. The Principles remain largely unchanged compared to the principles under the Privacy Shield, and impose obligations, including:
(1) transparency, by requiring participants to inform individuals of their certification to the DPF, including the specific U.S. entities adhering to the Principles (“notice”);
(2) requiring participants to provide data subjects with the possibility to opt-out of disclosures of personal data to third parties, and of materially different uses of personal data to the purpose(s) for which the data was originally collected or subsequently authorized (“choice”);
(3) stricter rules with regards to onward transfers, including the requirement to enter into a data processing contract and ensure such data is processed for limited and specified purposes, consistent with the Principles; and
(4) the right to access, correct, amend or delete the personal data held by the organisation.
The supplemental principles set out additional requirements on, among others, the transfer of sensitive and HR data, the process of self-certification to the DPF, and mandatory contracts for onward transfers.
Participation in the DPF is voluntary. However, once a company decides to certify to the DPF, compliance with the Principles are compulsory and enforceable by data subjects via, among others, a binding arbitration option.
How Do Organizations Self-Certify to the DPF?
The DPF relies on a self-certification mechanism, administered by the Department of Commerce, which has administered the previous frameworks. Companies must submit information through a dedicated website, including, among others:
- the name of the self-certifying or re-certifying U.S. organisation, and the name(s) of any U.S. entities or subsidiaries that will also adhere to the Principles;
- a description of the organisation’s activities (e.g., the purpose(s) of processing) with respect to the transferred personal data;
- the relevant independent recourse mechanism available to investigate unresolved Principles-related complaints.
To participate in the DPF, companies will be required to pay a fee, and re-certify annually. The Department of Commerce will maintain a publicly available list of participants.
The supplemental principles specify that the “DPF benefits are assured from the date on which the Department [of Commerce] places the organization on the Data Privacy Framework List” (sec. 6(a)). The Department of Commerce will only place an organisation on the DPF List after having determined that the organisation’s initial self-certification submission is complete, and will remove the organisation from the list if it voluntarily withdraws, fails to complete its annual re-certification, or if it “persistently fails to comply with the Principles” (sec. 6(a)).
Importantly, the Department of Commerce has confirmed that organisations that have maintained their self-certification to the EU-U.S. Privacy Shield (“Privacy Shield”) do not need to re-certify to the DPF in order to rely on it, provided they comply with the DPF Principles, including updating their privacy policies, by 10 October, 2023.
The DPF website – which organisations can use to make initial self-certification submissions (where they were not previously self-certified to the Privacy Shield) or recertify under the DPF Principles – launched on 17 July, 2023.
Impact on EU-US Data Transfers & Other Data Transfer Tools
Importantly, transfers of personal data can take place freely from the EU to organisations who are certified to the DPF (although where data processors are enrolled, an Article 28 processing contact also needs to be in place). Companies relying on Standard Contractual Clauses or Binding Corporate Rules will also benefit from the Commission’s adequacy decision, as companies may refer to the decision in their own U.S. transfer impact assessments.
UK-U.S. data transfers
From 17 July, 2023, organisations in the U.S. that wish to self-certify their compliance to the UK Extension to the DPF (“UK Extension”) may do so. However, they cannot begin relying on the UK Extension to receive personal data from the UK (and Gibraltar) until the UK’s adequacy regulation (a “data bridge”) implementing the UK Extension enters into force. (An agreement in principle was reached on 8 June, 2023). Organisations that wish to participate in the UK Extension must also participate in the DPF.
Swiss-U.S. data transfers
From 17 July 2023, organisations in the U.S. that wish to self-certify to the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) may do so. However, organisations cannot begin relying on the Swiss-U.S. DPF to receive personal data from Switzerland until the Swiss Federal Administration’s anticipated adequacy decision on the Swiss-U.S. DPF (which we expect to see published in the next few months) enters into force.
Covington regularly advises companies on all aspects of their international transfers. Our team is happy to assist with any inquiries relating to the new EU-U.S. Data Privacy Framework and other international transfer mechanisms.