Background

The European Commission (EC) issued the long-awaited adequacy decision for the new EU-U.S. Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU Safe Harbor in 2015, and the U.S.-EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II, respectively). Following those decisions President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new binding safeguards. Our previous client alert discussed how the draft adequacy decision, including in relation to this this Executive Order, addressed concerns raised in Schrems II.

The Principles

The privacy principles contained in Annex I of the Framework (Principles) remain the same as under the Privacy Shield. These are:

  1. Notice, which focuses on providing individuals with transparency about how their personal data will be processed and how to exercise their rights of access, objection, rectification, and erasure, among others.
  2. Choice, which allows individuals to choose whether their personal data is disclosed to third parties and whether it may be used for purposes different from those for which it was originally collected and authorised by the individuals.
  3. Accountability for onward transfer, which limits transfers of personal data to third parties to specified purposes and where there is the same level protection under the Principles.
  4. Security, which requires personal data to be protected from loss, misuse, unauthorised access, disclosure, alteration, and destruction.
  5. Data integrity and purpose limitation, which requires that processing be fair and lawful and used for specific purposes.
  6. Access, which grants individuals the ability to correct, amend, or delete inaccurate data or data processed in violation of the Principles.
  7. Recourse, enforcement, and liability, which requires organisations to be monitored by and cooperate with supervisory authorities.

Which companies are in scope?

Under the Framework, organisations may self-certify by submitting an application and accompanying documents to the U.S. Dept. of Commerce (DOC) showing their adherence to the Principles. Only those organisations under the authority of the U.S. Federal Trade Commission (FTC) or the Department of Transportation (DoT) may self-certify. For example, banks and insurers are not included. The Principles apply immediately upon certification, and organisations are required to re-certify annually. Certified organisations will be listed in a public list (Framework List). In a statement issued on July 10, 2023, the DOC stated that it expects that the new Framework site will be up and running sometime in the next few days.

Certification under the Framework requires organisations to publicly declare their commitment to comply with the Principles, publish their privacy policies and fully implement them. In addition, organizations must provide a description of purposes of processing personal data to the DOC, identify the scope of personal data covered by the certification, verify their compliance and designate an independent recourse mechanism as well as the statutory body empowered to enforce compliance with the Principles.

Monitoring and enforcement

The DOC will monitor compliance with the Framework and carry out random spot checks as well as investigate potential compliance issues, such as when reported to the DOC by third parties. Organisations that persistently fail to comply with the Principles will be removed from the Framework List and must return or delete the personal data received under the Framework.

Other data transfer mechanisms

The EC also clarified in its Q&A on the Framework that the new safeguards that were put in place under Executive Order 14086 apply to all data transfers to the U.S. The new safeguards thus facilitate other data transfer mechanisms, such as transfers based on standard contractual clauses (SCCs) and binding corporate rules. Organizations will have to update their Transfer Impact Assessments in light of the new U.S. safeguards. An update of the SCCs will usually not be required.

What’s next?

Schrems III?: Max Schrems has already announced that he plans to challenge the Framework. Despite the EC’s adequacy decision, there is no legal certainty as to whether the Framework will survive a challenge before the CJEU. It could be invalidated, like its two predecessors, or be upheld as an adequate mechanism, as is the case with the standard contractual clauses and binding corporate rules. Given the nearly 100% likelihood of a challenge to the Framework, organisations may wish to take a wait and see approach. Alternatively, eligible organisations may self-certify so that they may benefit from unencumbered transatlantic data transfers. Either way the next step is critical.

Choose the appropriate mechanism: Organisations involved in data transfers to the U.S. should assess what is their preferred and most appropriate data transfer mechanism. For some organizations a certification for the Framework in the U.S. will be best; others might prefer relying on the SCCs plus the new U.S. safeguards.

For EU data exporters: EU data exporters should check their agreements with U.S. data importers and request information on whether current data transfer mechanism will continue to be used going forward and whether there will be changes to any subprocessors or onward transfers. Further, EU data exporters must prepare to update their transfer impact assessments and, if the data transfer mechanism is changed to the Framework, amend privacy policies/notices, records of processing activities, and information in cookie consent tools. Data exporters should also check if tools or solutions that could not be used in the past due to data transfers issues may now safely be used.

For U.S. data importers: U.S. data importers should be prepared for questions from their EU data exporters about exploring a change from their existing the data transfer mechanism to the Framework. The FTC is expected to publish requirements and procedures in the next few days on https://www.dataprivacyframework.gov/s/program-overview.

Outlook: It is certainly good news that the EC has issued its adequacy decision in relation to the Framework and has done so earlier than expected. Further good news is that EU organizations will have fewer obstacles when doing business with U.S. organizations. It should also provide renewed confidence for U.S. organizations that receive transfers of personal data from their EU-based subsidiary and affiliates. That good news must be tempered, however, given Schrems’ upcoming challenge to the Framework, as it will be up to the CJEU to determine whether Biden’s Executive Order 14086 and the respective safeguards are enough to survive the challenge. If we were inclined towards betting, we would, together with the US and EC, back the Framework as being here to stay.