After more than a year since the first announcement of the Trans-Atlantic Data Privacy Framework, the European Commission has adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) on 10 July 2023, which entered into force with immediate effect. Transfers to US companies signed up to the DPF will be now considered “adequate” for transfers outside of the EEA.
The new adequacy decision comes nearly 3 years after the Schrems II decision in July 2020, which invalidated the Privacy Shield as a legitimate way to transfer data between the EU and the US. (For more detail on the Schrems II decision see our article here). The DPF seeks to address the concerns in the Schrems II decision by introducing new binding safeguards to limit access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court, which will independently investigate complaints lodged by Europeans.
Under the DPF, US companies can self-certify their participation by committing to comply with a detailed set of privacy obligations, which unsurprisingly align with GDPR-esque principles. Companies currently self-certified under the Privacy Shield Framework will have access to a simplified procedure for self-certification under the new DPF. As this decision is considered a partial and conditional adequacy decision, those self-certified companies can receive EU data without having to carry out risk assessments and/or put in place additional supplementary measures. You can find more information on the self-certification process via this DPF website, and we expect there to be a rush of applications to certify by eligible US companies, especially large US service providers and B2C/e-retailers who service lots of clients and customers in the EU.
The adequacy decision only covers transfers from the EU to the US, but we should expect the focus to now be on UK-US adequacy, with a similar process for the UK to be designated as a “qualifying state”. Our understanding is that the ICO is preparing its opinion on the UK-US data bridge, known as the UK Extension to the Data Privacy Framework, which will need to be approved by the UK Government. Given the UK-US data bridge is an extension of the DPF, it will be very similar in nature to the EU-US deal. It is also worth noting that in the US Department of Commerce’s DPF overview they confirm that as of 17 July 2023 eligible US organisations that wish to self-certify their compliance pursuant to the UK Extension to the DPF may do so, however (i) in order to participate in the UK Extension, US organisations must also participate in the EU-US DPF itself; and (ii) personal data cannot be transferred from the UK in reliance on the UK Extension DPF before the required adequacy regulations implementing the data bridge enter into force. While no specific date for such regulations has been referenced, given the US has always been one of the UK Government’s priority partnerships, and the UK was expected to move quickly after the EU adequacy finding, we can hope to see the required regulations sooner rather than later.
And what of ex-Swiss transfers to the US? Again the US has stated that the effective date of the US-Swiss DPF Principles is 17 July 2023, however, personal data cannot be transferred ex-Switzerland in reliance on this mechanism until Switzerland’s recognition of adequacy for the US-Swiss DPF enters into force. At present the US does not appear in the list of adequate countries contained in Annex I of the new Federal Data Protection Act (due to come into force on 1 September 2023) but the list is expected to be amended in due course.
Does this solve everything?
Not quite – not all US companies can take advantage of the DPF. Only those that are subject to the investigatory and enforcement powers of the Federal Trade Commission and Department of Transportation can certify under the DPF. Certain manufacturing and financial services companies, for instance, are not eligible, and so will still need to use transfer mechanisms such as Standard Contractual Clauses.
Further, this DPF only covers transfers to the US. Transfers outside of the EEA/UK to non-adequate countries will still require data exporters to put in place lawful transfer mechanisms as well as carry out transfer risk assessments and where necessary put in place supplementary measures. Therefore, the headache still very much exists for non-US transfers.
Overall, the adequacy decision is a positive outcome and will be welcomed by businesses as it will provide legal certainty in respect of their data transfers both from the EEA (and soon hopefully the UK) to the US. Indeed, we suspect we will see a flurry of EU (and likely UK) organisations as well as large US companies such as Meta, Amazon and Microsoft, to now swiftly incorporate the DPF into their US transfer documentation as part of yet another re-papering exercise. However, while this is a step in the right direction, Max Schrems and noyb have already panned the DPF as “largely a copy of the failed “Privacy Shield”” that doesn’t go far enough to address the Schrems II “fundamental” surveillance issues and “expect this to be back at the Court of Justice by the beginning of next year”. Therefore, it will not come as a surprise to anyone to see Schrems III on the horizon soon. Let’s hope we at least get a summer off!