The new framework provides an additional route for personal data transfers from the EEA to the US.
On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new EU-US Data Privacy Framework (DPF) for transfers of data from the European Economic Area (EEA) to the US. The EC adopted an adequacy decision following the fulfilment by the US of its implementation commitments under the DPF. The adequacy decision enables organisations to transfer personal data from the EEA to organisations in the US that have self-certified under the DPF with immediate effect. As of 10 July 2023, organisations that were certified under the EU-US Privacy Shield (Privacy Shield) are now certified under the DPF and can begin receiving data from the EEA via the DPF.
The DPF was finalised following lengthy negotiations between the US government and the EC after the European Court of Justice (CJEU) invalidated the Privacy Shield in July 2020 (commonly referred to as the Schrems II case). The CJEU’s main concern with respect to the Privacy Shield related to US public authorities’ potential use of and access to EEA citizens’ personal data without being restricted by the principle of proportionality. The CJEU also concluded that EEA data subjects had no effective redress mechanisms to challenge US surveillance practices. To address these concerns, the US introduced safeguards and a new redress mechanism via an executive order. In addition, the US Attorney General established a new Data Protection Review Court (DPRC).
While the binding adequacy decision only recently went into effect, activists in the EU will likely challenge it soon. The EC and US government have expressed confidence that the DPF meets the CJEU’s concerns in Schrems II and should survive any such challenge. Unless and until any such challenge is successful, organisations can transfer EEA citizens’ personal data to DPF-certified organisations in the US, safe in the knowledge that such transfers are lawful under the GDPR and, importantly, the adequacy decision is binding on local data protection authorities.
What should organisations do next?
The next steps for organisations in the US that receive personal data from the EEA largely depend on whether the organisation is already a participant in the Privacy Shield (and whether they now wish to rely on the DPF or continue to rely on other transfer mechanisms, in particular standard contractual clauses (SCCs)). Wider considerations, including the impact of the DPF on existing Transfer Impact Assessments (TIAs), will also be relevant for organisations transferring personal data from the EEA to the US. We summarise below the key considerations for relevant organisations.
Privacy Shield-certified organisations
Organisations that have maintained their Privacy Shield certification are now certified under the DPF. The DPF requires such organisations to update their relevant privacy notices to replace references to the Privacy Shield with references to the DPF by 10 October 2023, but otherwise, their certification to the DPF transitions automatically.
Organisations that are not Privacy Shield-certified, but want to rely on the DPF for personal data transfers from the EEA to the US, will need to submit an application on the DPF website. Note that the DPF (similar to the Privacy Shield) is only available to entities that are subject to the jurisdiction of the Federal Trade Commission (FTC) or Department of Transportation. The US government has stated that it is in discussions with the EC to consider whether other entities (such as banks) can also be eligible to adopt the DPF.
Organisations that already comply with the GDPR are likely well-positioned to comply with the DPF, since the DPF adopts similar compliance principles to that of the GDPR. Accordingly, such organisations would need to carefully review their compliance program and develop evidentiary support for any self-certification. The DPF principles also share similarities with existing US state laws, such as the California Consumer Privacy Act.
Regardless of their compliance with existing privacy legal regimes, organisations should be careful to evaluate the specific DPF requirements, such as particular disclosure obligations, choices that must be offered to EEA data subjects, and requirements relating to the processing of sensitive data.
Significantly, certifying organisations must subject their processing of EEA data under the DPF to an enforcement authority of the FTC or Department of Transportation.
In deciding whether to certify to the DPF, organisations should consider that alternative transfer mechanisms (such as SCCs) remain valid and may prove simpler in some circumstances. Indeed, the EC and US government have clarified that the changes to US law in response to Schrems II are applicable to personal data transfers from the EEA to the US, regardless of the transfer mechanism.
All EU organisations which transfer data to the US
Since the changes to US law also apply when data is transferred by other mechanisms (such as SCCs), EEA organisations should consider reviewing their TIAs underpinning all EU-US personal data transfers, and updating these to reflect the new US regime, i.e., the safeguards and new redress mechanism introduced via Executive Order (EO) 14086 and the DPRC, as noted above. EEA organisations can largely rely on the EC’s assessment of US law in the adequacy decision, which should simplify this exercise.
Summary of adequacy decision
In order to determine the adequacy of data transfers under the DPF, the EC has reviewed the steps that the US took to revise its practices in response to the issues identified in Schrems II. The EC assessed the safeguards that EO 14086 introduced, concluding that the new safeguards and redress mechanism address all of the CJEU’s concerns. The EC concluded that:
- in relation to redress, the new mechanism includes the establishment of the DPRC, an independent tribunal to which EEA individuals now have access;
- in relation to the US government’s access to personal data, US law contains various limitations and safeguards with respect to the access and use of personal data for criminal law enforcement and national security purposes; and
- US law provides appropriate safeguards, subject to adequate oversight and redress, limiting access to EEA data by the US intelligence agencies to what is necessary and proportionate.
The DPF will be subject to periodic reviews by the EC, together with representatives of European data protection authorities and competent US authorities. If the EC is concerned that an adequate level of protection is no longer ensured, it is authorised to suspend, amend, or repeal the adequacy decision or limit its scope. The EC’s first review will take place in July 2024.
UK and Swiss extensions
Following its departure from the EU, the UK will not be covered by the adequacy decision. The UK government will instead need to agree on an alternative arrangement with the US to cover the flow of UK personal data to the US. Such a framework would require the US to designate the UK as a “qualifying state” and the UK to issue an adequacy decision. On 17 July 2023, the UK confirmed that US organisations that are part of the DPF can also self-certify for the “UK extension” the DPF, but cannot currently rely on it for UK personal data transfers until the UK adequacy decision is in place. We expect a timetable be published in the coming months.
Organisations certified under the Swiss-US Privacy Shield Framework will also be able to transition to the DPF. However, as with the UK, transfers cannot be made until Switzerland is designated as a “qualifying state” and Switzerland’s adequacy decision is in force.
 EO 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities” (EO 14086).
 While the Privacy Shield ceased to be a valid mechanism for international data transfers following Schrems II, many organisations remained certified.
 Changes are required within three months of the effective date of the DPF (10 July 2023).
 The EU and Iceland, Lichtenstein, and Norway (together making up the EEA Member States) were designated as “Qualifying States” by the US Attorney General on 30 June 2023, effective immediately following the adoption of the adequacy decision on 10 July 2023.
 In addition to the changes made by EO 14086, and pursuant to its terms, the US intelligence community adopted various policies and procedures, which were published on 3 July 2023.