On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.
The European Commission came to this draft adequacy decision after an extensive assessment of the U.S. legal framework’s safeguards for the transfer of personal data, including recent commitments the U.S. undertook to address data protection concerns. Specifically, on October 7, 2022, President Biden issued an Executive Order addressing concerns that were raised in the Schrems II decision. The Executive Order added safeguards and supervision, with mechanisms for redress, for personal data that is collected by U.S. signals intelligence agencies. The Executive Order authorized the U.S. Attorney General’s October 7, 2022 Regulation that established a Data Protection Review Court, tasked with the review and redress of qualifying complaints.
The draft decision states that commitments undertaken by the U.S., coupled with the updated EU-U.S. DPF, allow personal data transfers from controllers and processors in the EU to certified organizations “without the need to obtain any further authorizations.” The DPF sets out privacy obligations and principles that organizations must comply with to join and be eligible for certification. Organizations must recertify these commitments annually. Below are examples and summaries of some of the privacy commitments organizations must comply with to be eligible for DPF certification. Fortunately, these commitments should be practices entities that companies engaged in the transfer of personal data are familiar with. Most, if not all, of the commitments outlined in the DPF are ones companies transferring personal data should already have in place
- Purpose limitation and choice: Organizations must process personal data in a way that is compatible with the purpose of collection that was authorized by the data subject. In other words, if an organization is using personal data in a materially different way, it must provide data subjects with a clear and conspicuous opportunity to opt out of the processing.
- Processing of special categories of personal data: Organizations processing sensitive information must adhere to specific enhanced safeguards.
- Data accuracy, minimization, and security: Organizations must maintain accurate data that is kept up to date and should retain data for periods no longer than necessary for processing. Organizations should process personal data in ways that ensure the security of the personal data and take appropriate technical and organizational measures to ensure its protection.
- Transparency: Organizations must provide clear and conspicuous notice to data subjects about the main features of the processing of their personal data (i.e., via privacy policies, employee handbooks, participant agreements etc.).
- Individual rights: Organizations must provide enforceable rights to data subjects, including the right of access to data, the right to object to the processing, and the right to have data rectified and erased.
- Restrictions on onward transfers: Certified organizations that take part in transferring personal data to a third-party controller or processor must follow stringent rules to ensure that the transfer is protected. Specifically, the transfer must be 1) limited and specific, 2) based on a contract between the DPF organization and the third party (i.e., a data processing agreement), and 3) the third party is required under the contract to provide the same standard of protection that is required under the DPF principles.
- Accountability: Organizations that are certified under the EU-U.S. DPF must comply with the principles of the DPF as compliance is compulsory and enforceable. This includes having adequate technical and organizational measures to comply with the principles and obligations. Organizations must take measures to ensure that they meet the principles set out by the DPF through self-assessments and objective outside compliance reviews.
The DPF also provides redress options for EU citizens if their data is used in a way that violates the DPF’s obligations with various ways data subjects may enforce their rights. If the DPF is eventually approved, it will be subject to periodic reviews by the EU Commission, EU data protection authorities, and U.S. authorities.
The European Commission’s draft adequacy decision does not mean that the decision is final and it must go through various steps for final approval and adoption. The draft adequacy decision has now been submitted to the European Data Protection Board (“EDPB”) for its opinion. The EU Commission must also receive approval on the draft adequacy decision from a committee of representatives from the EU Member States. Moreover, the European Parliament also has a right of scrutiny over adequacy decisions. Only after these steps have taken place and the European Commission receives the green light from these relevant authorities, can the European Commission adopt the final EU-U.S. Data Privacy Framework adequacy decision. Ultimately, it could be a while before we see the DPF in practice. If the draft adequacy decision on the EU-U.S. DPF is adopted, European entities will be able to transfer to participating organizations in the United States with more ease.
What Are My Current Options to Transfer Personal Data in the Interim?
While there are a few more crucial steps that must be taken before the DPF becomes an appropriate transfer mechanism, entities looking to transfer data between the United States and EU have a few options in the meantime:
- 2021 EU Standard Contractual Clauses (“SCCs”): The SCCs are model contracts created by the Commission to transfer data between the EU and U.S. SCCs are the most used mechanism to transfer data from the EU. In 2021, the Commission adopted modernized SCCs, replacing the old 2010 model clauses, to facilitate their use, including the requirements set by the Court of Justice in the Schrems II decision. The modernized version of the SCCs are now required for all data transfers, and the older clauses used in previous agreements must be replaced.
- Binding Corporate Rules (“BCRs”): BCRs are data protection policies adhered to by companies established in the EU, UK, and Switzerland for transfers of personal data outside these jurisdictions within a group of undertakings or enterprises. BCRs are beneficial for organizations with a global footprint. To illustrate, if ACME Corp. wanted to transfer personal data from its Paris, France office to its Tampa, Florida office BCRs would allow such transfer without needing to execute the SCCs. Notably, organizations must submit BCRs for approval to the competent data protection authority in the EU. The authority will approve the BCRs under the consistency mechanism set out in Article 63 of the General Data Protection Regulation (“GDPR”). This procedure may involve several supervisory authorities if the group applying for approval of its BCRs has entities in more than one EU Member State. The competent authority communicates its draft decision to the EDPB, which will issue its opinion on the BCRs. When the BCRs have been finalized in accordance with the EDPB opinion, the competent authority will approve the BCRs.
If approved, it will be interesting to see if the EU-U.S. DPF invokes similar frameworks with other counties and regions such as Switzerland and the United Kingdom. Currently, the Swiss Data Protection Authority permits the SCCs to be used to transfer data between the United States and Switzerland (like the EU-U.S. privacy shield, the EU-Swiss Privacy Shield was invalidated by Swiss data protection authorities following Schrems II). Similar to the EU, the United Kingdom has its version of model clauses known as the International Data Transfer Agreement (“IDTA”) that permits the transfer of personal data to and from the U.S. and the United Kingdom. We will continue to monitor the EU-U.S. DPF as it flows through the approval channels. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.