The ability to transfer data between countries is the bedrock of trade and international relations. To facilitate barrier-free transfers of data between the EU and US, the European Commission (EC) adopted an adequacy decision under Article 45 of the GDPR on the new EU-US Data Privacy Framework (the DPF) on 10 July 2023. As the European Data Protection Board (EDPB) clarified in their recent information note, this adequacy decision will allow for the free flow of data across the Atlantic to companies who self-certify under the DPF.
Data transfers between the EU and the US became a complex and labour-intensive matter following the Court of Justice of the European Union’s (CJEU) ruling against the EU-US Privacy Shield (Privacy Shield) in 2020. Since this ruling, we have seen EU regulators issue a number of decisions regarding the issue of transatlantic data flows, particularly targeting Google Analytics and other Google services, and Meta. This has led to uncertainty for companies of all sizes about the compliance of their own operations.
While this adequacy decision is a welcome development for all who transfer data between the two blocs, it remains to be seen whether this is going to be a lasting solution to the issue of transatlantic data transfers.
Background
Under the GDPR, international data transfers can take place if a data transfer mechanism is used, such as an Adequacy Decision or Standard Contractual Clauses (SCCs). An adequacy decision is the simplest approach to data transfers, as transfers made on the basis of this mechanism do not require any additional assessments of the country in question. The EC has already made the assessment that the legal framework of the country provides a similar level of protection as that provided within the EU.
While the US has never received an adequacy decision based on its legal framework alone, two previous schemes have: EU-U.S. Safe Harbor and the Privacy Shield. Under these frameworks, organisations could self-certify that they complied with certain privacy principles and could therefore provide guarantees that the imported personal data would be sufficiently protected. Both of these frameworks were invalidated by the CJEU.
In the absence of an adequacy decision, organisations could continue to transfer data to the US using alternative transfer mechanisms, such as SCCs or the derogations contained in Article 49 of the GDPR. However, prior to implementing these mechanisms, organisations were now required to conduct their own assessment of whether the importing organisation could provide adequate protection by using a tool known as a Transfer Impact Assessment (TIA). If an organisation determined that this transfer caused a significant risk to the data subject, and no additional measures would sufficiently mitigate this risk, the transfer could not go ahead.
These additional requirements inevitably restricted the free flow of data from the EU to US and added an additional layer of time-consuming bureaucracy for all involved.
In response to these issues, President Biden put into place Executive Order 14086 (EO) to limit US mass surveillance activities and provide a mechanism for effective redress for non-US citizens. The EC in turn drafted an adequacy decision for the new framework for transatlantic data transfers: the DPF.
Satisfying the concerns of the CJEU
The main reasons why the CJEU struck down Safe Harbor and Privacy Shield were:
- The extent of US surveillance activities: the CJEU found that US surveillance is not limited to what is strictly necessary and proportionate, and therefore is not in line with Article 52 of the EU Charter of Fundamental Rights (“EU Charter”).
- Lack of an effective redress mechanism: EU individuals who are subject to US surveillance activities do not have actionable judicial redress in the US, as is required by Article 47 of the EU Charter.
The US government responded to these concerns with the EO as follows:
- Proportionality: The EO adopted a US interpretation of the proportionality principle and limited the instances where data can be accessed by US surveillance agencies to defined situations.
- Redress: The EO introduced a two-layer redress mechanism system. Non-US individuals will now have the right to lodge a complaint with the Civil Liberties Protection Officer. If the result of this decision is not satisfactory, they can appeal the decision before the Data Protection Review Court (DPRC).
The measures outlined in the EO are welcome limitations on the powers of US surveillance agencies and provided sufficient assurance to the EC who have resultantly adopted the adequacy decision for the DPF.
Future Challenges
Max Schrems was the complainant behind the invalidation of the previous two frameworks. His privacy activist organisation, noyb, has stated that it does not believe that the EO addressed the CJEU’s concerns and expects the DPF to face the same fate as its predecessors.
NYOB further argues that the US have not sufficiently addressed the issue of mass surveillance. To bring their surveillance activities in line with Article 52 of the Charter, the US has adopted its own meaning of the word “proportionate”, which differs from the EU’s interpretation of the term. Furthermore, nyob states that the redress mechanism would not be considered as sufficient under Article 47 of the Charter, as the DPRC is not a court, but a partly independent executive body.
In light of these comments, we can expect the DPF to have its day in court in the near future. Indeed, noyb have predicted that the DPF will be challenged in the CJEU “in a matter of months.”
What does this mean in practice?
Despite uncertainties about the durability of the DPF, this is nonetheless a welcome development for companies on both sides of the Atlantic. We have outlined below the actions your organisation should take to enjoy the benefits of the DPF.
For US organisations:
- The US Department of Commerce (DoC) has provided guidance that organisations can self-certify their participation in the DPF by committing to comply with a set of privacy obligations. Organisations who maintained their Privacy Shield certification do not need to recertify as long as they update their privacy policies by October 10, 2023.
- Organisations should also review and assess their internal processes to ensure that they reflect the DPF principles. The Federal Trade Commission can investigate compliance with the DPF principles and may impose enforcement actions against non-compliant organisations.
For EU organisations:
- When assessing a new data transfer to a US company, you should check whether the US company have signed up to the DPF using the new DPF website.
- If you have already implemented SCCs with a US-based importing organisation and would like to solely rely on the DPF, you will need to amend your existing contracts to reflect this change. However, you may also leave the SCCs in place and proceed without any amendments, as long as you have updated your TIAs (see below).
- If you change your contracts, you should also update any compliance documentation that describe your international transfer activities accordingly, such as privacy notices, third party registers, international transfers policies and Records of Processing Activities.
- Note: you will not be required to conduct TIAs for transfers that use the DPF as a transfer mechanism.
For UK organisations:
- The EU-US adequacy decision does not apply to the UK as it is no longer part of the EU. However, the UK and US have jointly announced their intention to establish a UK-US data bridge. Until this is in place however, UK organisations should continue to rely on alternative transfer mechanisms such as the UK International Data Transfer Agreement (IDTA) or the UK addendum to the EU SCCs.
For multinational organisations:
- SCCs may be the more appropriate data transfer mechanism for intragroup data transfers, as these can include transfers to multiple non-EU countries, where the DPF is EU-US specific.
Regardless of where your organisation is established, if you continue to rely on another transfer mechanism for exporting data to the US, such as SCCs, you will still be required to complete TIAs for each data transfer that does not use the DPF. However, these TIAs should take the EC’s adequacy decision into consideration when assessing the risk posed by this data transfer.
Conclusion
The development of the DPF is a testament to the joint efforts put in by authorities from both sides of the Atlantic to remove barriers to business and facilitate the relationship between these nations. However, though the EO has provided welcome safeguards to protect the data of non-US nationals, it is not certain that it has gone far enough to address the concerns that were initially raised about Privacy Shield. As such, we can expect that the DPF may face its day before the CJEU in the not-too-distant future.
In the meantime, organisations who transfer data across the Atlantic may need to update their processes to reflect this new adequacy decision, as outlined above. Trilateral’s Data Protection and Cyber-Risk Team has extensive experience advising and assisting organisations in ensuring they meet their obligations in the area of international data transfers. For more information, please feel free to contact our advisors.
