Opinion

EU-U.S. Data Privacy Framework: adequacy decision adopted, the framework becomes operational

On 10 July 2023, the European Commission adopted the adequacy decision for the EU-U.S. Data Privacy Framework (DPF). This decision enables the free flow of personal data from the EU and three EEA countries (Iceland, Liechtenstein and Norway) to organizations in the U.S. that are certified under the DPF, without having to rely on any other data transfer mechanism under the General Data Protection Regulation (GDPR), such as European Commission’s standard contractual clauses.

The United Kingdom Extension to the EU-U.S. DPF and Swiss-U.S. DPF Principles will also soon be in effect as described below.

Who is eligible for certification

To be eligible for certification under the DPF, a U.S. organization must be supervised by  the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT). For clarity, if a U.S. organization is not supervised under these regulatory bodies, it may not be able to take advantage of the safe harbour provided by the DPF. The European Commission’s adequacy decision names banks, insurance companies and certain non-profit organizations as examples of organizations that do not fall under the jurisdiction of the FTC. 

An organization willing to participate in the DPF must publicly declare its commitment to comply with the DPF Principles, disclose its privacy policies in line with the DPF Principles and implement them fully. 

You can read about the DPF and the draft adequacy decision in our blog here. We summarised the European Data Protection Board’s (EDPB) opinion on the DPF and the draft adequacy decision here. The final decision includes a number of changes to reflect the recommendations of the European Data Protection Board (EDPB) and other stakeholders.  The adequacy decision took effect on 10 July 2023, and from that date the EU data exporters can rely on the DPF for their data transfers to U.S. organizations that are included in the DPF list. The list is maintained by the International Trade Administration (ITA) of the U.S. Department of Commerce (DOC). 

On 17 July 2023, the full version of the new website www.dataprivacyframework.gov was launched by the ITA. The website enables self-certification submissions and updates, lists current certifications and provides guidance (including FAQs on various aspects of the DPF) and DPF documentation. The website facilitates all three DPF programmes (for the EU, the UK and Switzerland).

DOC guidance

Following the adoption of the adequacy decision by the European Commission, the DOC published an advisory, clarifying the practical aspects of the new data transfer framework. According to the advisory:

  • U.S. based organizations that have been self-certified under the EU-U.S. Privacy Shield Framework must comply with the EU-U.S. DPF Principles, including by updating their privacy policies by 10 October 2023. In the meantime, they do not need to make a separate, initial self-certification submission to participate in the EU-U.S. DPF and may begin relying immediately on the European Commission’s DPF adequacy decision to receive personal data transfers from the EEA;
  • Self-certified organizations under the Privacy Shield that do not wish to participate in the EU-U.S. DPF must withdraw their certification, following a prescribed procedure;
  • From 17 July 2023, “eligible organizations in the US” (in a nutshell - organizations participating in EU-U.S. DPF) will also be able to self-certify to the UK Extension to the EU-U.S. DPF. However, these organizations may not begin relying on the UK Extension until the UK adequacy regulations implementing the data bridge for the UK Extension enter into force. The DPF website provides an overview of the UK Extension and the FAQs, available here;  
  • Organizations that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF; 
  • On 17 July 2023, the Swiss-U.S. DPF Principles will also enter into effect. The requirements are similar as for organizations that are currently registered under the Privacy Shield Framework described above, however, they may not begin relying on the Swiss-U.S. DPF to receive personal data transfers from Switzerland until the Swiss Federal Administration issues its own adequacy decision for the Swiss-U.S. DPF. 

EDPB information note

On 19 July 2023, the EDPB issued an an information note on the EU-U.S. Data Privacy Framework. The EDPB confirmed that transfers under the European Commission’s adequacy decision regarding the DPF do not need supplementary measures. On the other hand, transfers to entities in the U.S. that are not included in the DPF list will need to rely on one of the transfer tools under the GDPR, such as European Commission’s standard contractual clauses or binding corporate rules. When evaluating the effectiveness of one of the transfer tools under Art.46 GDPR, data exporters should take into account the European Commission’s assessment of the US legal regime included in the adequacy decision. 

The EDPB reiterates that all safeguards in the area of national security that the U.S. Government has implemented for the DPF (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool. The EDPB Chair Anu Talus noted that the EDPB plans to pay “special attention” to the correct implementation of the EU-U.S. DPF.

International reactions to the adequacy decision 

Various supervisory authorities, civil society and other organizations have issued their reactions to the adequacy decision, including the following:

  • The European Data Protection Board (EDPB) published the comments of its Chair, Anu Talus, who stated that the EDPB “takes note that the EU-U.S. DPF has been adopted and looks forward to the participation in its next plenary meeting to shed light on the adequacy decision and on the changes following the EDPB opinion.” The EDPB statement is available here.
  • Supervisory authorities in many EEA member states, such as Germany’s BfDI, France’s CNIL, Denmark’s Datatilsynet and Norway’s Datatilsynet, published statements taking note of the adequacy decision and providing guidance to the stakeholders. The BfDI statement is available here (in German), the CNIL statement here (in French), the Datatilsynet (Denmark) press release here (in Danish) and the Datatilsynet (Norway) statement here (in Norwegian).   
  • Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) issued a press release taking note of the adequacy decision. Notably, the FDPIC highlighted that Switzerland is also in the process of concluding a Data Privacy Framework with the US, and that the discussions are well advanced. The FDPIC also noted that, as of 1 September 2023, the Federal Council will decide upon adequacy under the new Swiss data protection legislation, stating that Switzerland's adequacy list will remain unchanged in the meantime. The FDPIC’s press release is available here
  • The US White House and Department of Commerce released statements welcoming the European Commission’s adequacy decision. The Department of Commerce observed that transatlantic data flows underpin more than USD 1 trillion in cross-border trade and investment annually and create vast economic opportunities. The US White House statement is available here and the Department of Commerce statement here
  • none of your business (noyb), a privacy rights organization, released a statement criticising the DPF and expressing its intention to challenge the adequacy decision in court. noyb noted that the DPF is largely similar to the previous EU-U.S. Privacy Shield and that there is little change in the US law. The noyb press release is available here.

Practical outcomes

Companies that have previously relied on the EU-U.S. Privacy Shield and the Safe Harbor frameworks face another dilemma: whether or not to try, for a third time, to certify compliance to a framework that may very well be short-lived or invalidated. Seeking certification can potentially alleviate years’ worth of contractual and compliance burdens; however, there is a chance that the DPF will significantly increase the burdens placed on U.S. companies and subject them to complex litigation and regulatory risks.  

For certain companies, the DPF may be a welcome change to comply with regulators’ demands. For example, the use of online tracking and analytic tools has been problematic in several European countries, including France, Italy, Norway, the Netherlands, and Sweden. Data protection supervisory authorities (DPA) challenged the lawfulness of data transfers to providers in the U.S., asserting that big tech providers, from the DPA perspective, were not able to implement sufficient “supplementary measures” to protect European analytics data against government surveillance to a standard that was “essentially equivalent” with EU law. We expect that U.S. big tech companies will very likely automatically transition to adopting the DPF to allow for legal cross-border data transfers.

Further resources

The press release of the European Commission is available here, the adequacy decision here, the Q&A here and the factsheet here. The statement of the U.S. Secretary of Commerce is available here. The National Security Division of the U.S. Department of Justice has also published an insightful memorandum supporting the designation of EEA countries as “qualifying states” for purposes of implementing the redress mechanism established in Executive Order 14086, available here.

Allen & Overy’s partner Jane Finlayson-Brown and special advisor Steve Wood recorded a video for Thomson Reuters Practical Law Cross-border data transfers: market practice, difficulties and developments (viewing requires subscription). The video discusses challenges faced by organizations navigating data transfers in compliance with differing data protection regimes, including the EU-U.S. DPF, as well as practical ways to address these challenges. This video was filmed prior to the European Commission adopting its final adequacy decision for the EU-U.S. DPF.

Content Disclaimer

This content was originally published by Allen & Overy before the A&O Shearman merger