The United States ("U.S.") and the European Union ("EU") have settled on a framework for transfers of personal data for the first time since the European Court of Justice ("CJEU") effectively invalidate the EU-U.S. Privacy Shield in July 2020.
Chapter V of Regulation (EU) 2016/679 (the "GDPR") imposes restrictions on cross-border transfers of personal data to recipients located outside the European Economic Area ("EEA"). There are several mechanisms for overcoming those restrictions, one of which is an "adequacy decision", in which the European Commission determines that a jurisdiction provides an appropriate level of protection for personal data transferred to that jurisdiction. On July 10, the European Commission adopted an Adequacy Decision, affirming that the privacy protections and redress measures put into place by President Biden's October 2022 Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities provide the "required level of protection." For more information on President Biden's Executive Order on Enhancing Safeguards, see our October 2022 alert here.
The new EU-U.S. Data Privacy Framework ("DPF") provides individuals with safeguards and redress mechanisms protecting transfers of their personal data from the EU to participating U.S. companies and to U.S. government agencies, who may access personal data for law enforcement or national security purposes. The degree of protection for personal data from access by U.S. national security agencies access had been a central issue in the CJEU's 2020 decision to invalidate the Privacy Shield. U.S. Businesses may now self-certify to participate in the DPF using the new DPF Website launched by the Department of Commerce ("DoC").
The EU Approves the Data Privacy Framework – But Could Face Legal Challenges
The EU Adequacy Decision allows the DPF to go into effect immediately, allowing organizations in the EEA to transfer personal data to U.S. companies that self-certify to the DPF. The DPF is based on a system of self-certification where U.S. organizations commit to a set of privacy principles identified by the Department of Commerce ("DoC") . These Principles address certain fundamental data privacy principles such as notice, choice (ability to opt out), accountability for onward transfer, security, data integrity, purpose limitation, access, and recourse.
The new safeguards and redress measures controlling personal data collected by U.S. intelligence agencies also have become effective. The safeguards provide detailed guidelines and procedures governing access to personal data, including subpoena and warrant requirements. In addition, the redress measures available to individuals includes investigation of complaints by U.S. Civil Liberties Protection Officers, with appeals going to a newly created Data Protection Review Court.
Back in Business – U.S. Department of Commerce Certification and Monitoring of Companies
On the U.S. side, the DoC will administer the commercial transfers of personal data under the DPF. The DoC will maintain a Data Privacy Framework List of companies that have adequately self-certified their adherence to the Principles. The DoC released a new DPF Website on July 17, which provides detailed guidance on how U.S. companies can self-certify under the DPF. European businesses and individuals can use the website to find participating organizations and review their privacy policies. Similar to –EU-U.S. Privacy Shield, the U.S. Federal Trade Commission ("FTC") will enforce U.S. companies' compliance with their obligations under the DPF. Notably, the European Data Protection Board recently released an information note on the DPF's implications for individuals and entities transferring personal data to the U.S..
UK-U.S. Extension to the DPF Is in the Works
The Adequacy Decision applies to transfers of personal data from the EEA to the U.S. In parallel, the governments of the U.S. and United Kingdom ("UK") have agreed in principle to extend the DPF to data transfers from the UK. While the new DPF Website already allows companies to self-certify to participate in the UK extension to the DPF, that extension will go into effect only after the UK government completes its own assessment.
Next Steps
The DPF will provide businesses with an additional mechanism for GDPR-complianttransfers of personal to the U.S., while providing additional assurances to data subjects about the protection of their personal data both commercially and from U.S. intelligence agencies.
Under the Adequacy Decision, the European Commission will monitor implementation of the DPF. If the European Commission determines that an adequate level of protection is no longer ensured it will inform the relevant U.S. authorities while reserving the right to suspend, amend or repeal the Adequacy Decision. As with all Adequacy Decisions, there will be a review at least every four years, as mandated by the GDPR.
In addition, adequacy decisions can be challenged in the EU via the courts system. The Adequacy Decisions in respect of the DPF's two predecessors, the U.S.-EU Safe Harbor and the EU-U.S. Privacy Shield were challenged in court and ultimately overturned by the CJEU, and it is almost certain that the DPF will face similar challenges.
Going forward, the effectiveness of the oversight measures under the DPF will be measured by the occurrence and frequency of enforcement actions by the FTC and by the new Data Protection Review Court ("DPRC") will reveal how. In the meantime, data transfers using existing mechanisms including standard contractual clauses or binding corporate rule can be safely used to effectuate data transfers from the EEA to US, though they are typically more cumbersome to implement.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP
