European Commission Approves EU-U.S. Data Privacy Framework, Paving Way for Streamlined Transfers of Personal Data

Swiftly on the heels of the U.S. announcing it fulfilled its commitments for implementing the EU-U.S. Data Privacy Framework (the Framework), the European Commission (the EC) formally recognized that commercial organizations in the United States that sign on to the Framework provide sufficient protections to transfer Europeans' personal data without additional safeguards. The Framework replaces the EU-U.S. Privacy Shield, which was invalidated by the European Court of Justice (CJEU) in July 2020.

The EC's Adequacy Decision recognized favorably the actions taken by U.S. law enforcement agencies and the intelligence community, particularly the U.S. Department of Justice (DOJ) and U.S. Office of the Director of National Intelligence (ODNI), to implement the new data safeguards contained in Executive Order 14086 (EO 14086). For further information on the actions the U.S. government took to implement EO 14086, see this blog post.

In its Adequacy Decision, the EC assessed the requirements, limitations, and safeguards applicable when personal data is transferred from the EU to the U.S. and how such data would be accessed by "public authorities," particularly federal agencies seeking personal information for criminal law enforcement, intelligence, and national security purposes. The EC concluded that the U.S., in light of reforms instituted by EO 14086, offered an "adequate level of protection" for personal data transferred from the EU to certified organizations participating in the Framework.

Takeaways from the EC's Adequacy Decision

• Significantly for U.S. businesses engaged in international transfers of personal data from the EU, adhering to the Framework allows for such transfers without the need for (1) conducting transfer impact assessments, and (2) incorporating Standard Contractual Clauses into individual contracts or data protection agreements.
• Although reliance on the Framework will streamline transfers, because of the likelihood of a legal challenge to the Framework, companies may still choose to rely on the Standard Contractual Clauses as a possible fallback. If companies continue to rely on the Standard Contractual Clauses, when conducting the required transfer impact assessment, the EC's Adequacy Decision will militate in favor of a conclusion that no supplemental safeguards are required.
• The Framework provides EU individuals with a series of new rights that were not required under the Privacy Shield – including the right to obtain access to their data, the right to correct inaccurate data, and the right to delete unlawfully processed data – when their personal data is transferred to U.S. companies participating in the Framework.
• The EC's Adequacy Decision highlighted the different redress avenues available to EU individuals in the event their data has been processed unlawfully, including access to no-cost independent dispute resolution mechanisms and an arbitration panel. In addition, the EC noted the new two-layer redress mechanism, which includes access to the Data Protection Review Court.
  • The EC described the two-layer redress mechanism as providing "independent and binding authority, designed to address complaints submitted by individuals whose personal data was transferred from the EEA to U.S. concerning the collection and use of their data by U.S. intelligence agencies."[1]
  • EU individuals will have the option to submit a complaint to their national data protection authority to help ensure EU individuals are able to turn to a local authority, in their own language. Submitted complaints will then be transmitted to the U.S. by the European Data Protection Board.
• The EC intends to "continuously monitor" relevant developments in the U.S. and regularly review the Adequacy Decision.
• The privacy safeguards implemented by the U.S. government in the area of national security (including the aforementioned redress mechanisms) apply to all data transfers under the General Data Protection Regulation (GDPR), regardless of the transfer mechanisms used. As a result, according to the EC, "the [Framework] safeguards therefore also facilitate the use of other tools, such as Standard Contractual Clauses and binding corporate rules" for EU-U.S. data transfers. It is also worth noting that the Data Privacy Framework Principles (discussed in more depth below) organizations must commit to in order to join the Framework share similarities to the commitments contained in Standard Contractual Clauses.[2]

What Should U.S. Companies Do to Get Certified?

In order to rely on the Framework as a valid transfer mechanism, U.S. companies will need to self-certify that they comply with the Data Privacy Framework Principles (the Principles) found in Annex 1 of the Adequacy Decision. The Framework became effective July 11, 2023, and the U.S. International Trade Administration launched a Data Privacy Framework website that will contain guidance on the self-certification process, a list of participants, and specific information for U.S. businesses, European businesses, and data protection authorities.

To be eligible for certification under the Framework, a company must be subject to the "investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT)."[3] As discussed in our prior blog post, the Principles are substantively similar to those that companies were required to adhere to under the Privacy Shield. In addition to adhering to the Principles, organizations must pay a fee and submit the following information to the Department of Commerce (DoC) to become certified:

• The name of the U.S. company, as well as the name of any participating U.S. entities or U.S. subsidiaries;
• A description of the purposes for which the organization will process personal data;
• The personal data that will be covered by the certification;
• The chosen verification method (e.g., self-assessment or independent review, including information on the third party that completes the compliance review); and
• The relevant independent recourse mechanism and the statutory body that has jurisdiction to enforce compliance with the Framework's privacy principles.

After determining that a company's initial self-certification submission is complete, the DoC will place the company on a publicly available Data Privacy Framework List. Participating companies are required to re-certify their adherence to the Framework's privacy principles annually. The DoC has the authority to remove a company from the list if it voluntarily withdraws from the Framework, fails to complete an annual recertification, or if the company "persistently fails" to comply with the Framework's privacy principles.

What's Next

U.S. companies should actively monitor the U.S. International Trade Administration's Data Privacy Framework website for updates as to when the certification submission portal will become accessible. As of July 12, 2023, parts of the website are "under construction" but together provide a general outline of key topics.

Steps Self-Certifying Organizations Will Need to Take to Utilize the Framework

U.S. companies looking to self-certify to participate in the Framework should consider assessing their policies and procedures to determine if they meet the requirements of the Principles, including:

Privacy Notice: Organizations are required to provide notice in clear and conspicuous language when individuals are first asked to provide personal information, or as soon thereafter as is practicable. In any event, organizations must provide notice to an individual before the organization uses the individual's personal information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

• This requirement means organizations will need to review and update their privacy notices on a regular basis to ensure they are in compliance to continue participating in the Framework.

Additional Notice: In addition to a "clear and conspicuous" privacy notice, an organization must inform individuals about its participation in the Framework and provide a link to, or the web address for, the Framework. An organization must also inform individuals about the types of personal data collected, the purpose for which it collects and uses personal information about said individuals, how to contact the organization with inquiries or complaints, the right of individuals to access their personal data, the choices and means the organization offers individuals for limiting the use and disclosure of their personal data, the type or identity of third parties to which the organization discloses personal information, the availability to use an independent dispute resolution body designated to address complaints, the option for individuals (under certain conditions) to invoke binding arbitration, potential liability in cases of onward transfers to third parties (see below), and possible disclosures to the FTC, DOJ, other public authorities, and law enforcement.

Choice: An organization must offer individuals the opportunity to choose (i.e., opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.

• Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise their preferred choice.

Accountability for Onward Transfer: To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that, when such a determination is made, the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.

• To transfer personal data to a third party acting as an agent, an organization is required to (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Framework's privacy principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Framework's privacy principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Framework's privacy principles; (v) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the DoC upon request.

Security: Organizations creating, maintaining, using, or disseminating personal information are obligated take reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Organizations must also take into account the risks involved in the processing and the nature of the personal data.

Data Integrity and Purpose Limitation: Personal information collected must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.

• To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.

Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Framework's privacy principles. The only exceptions to the Access Principle are (i) where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or (ii) where the rights of persons other than the individual would be violated.

Recourse, Enforcement, and Liability: Effective privacy protection must include robust mechanisms for assuring compliance with the Framework's privacy principles, including:

• Readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Framework's privacy principles, and damages awarded where the applicable law or private-sector initiatives so provide;
• Follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and
• Obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

"Schrems III" on the Horizon

The EC's approval of the Framework is a major step forward in establishing a viable international data transfer mechanism. Nevertheless, the announcement of the EC's Adequacy Decision in favor of the Framework was immediately met with criticism and the declaration of a future legal challenge by Max Schrems and his non-profit group, NOYB. Schrems issued a statement describing the Framework as a "copy of the failed Privacy Shield." Schrems went on to state that, "just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work." Schrems indicated that NOYB's intended legal challenge is expected to put the viability of the Framework in front of the CJEU by early 2024. For context, both predecessor data transfer agreements (i.e., Safe Harbor and Privacy Shield) were struck down by the CJEU after it was determined that exported personal data was not sufficiently protected in light of the risks posed by the surveillance powers of the U.S. government through the FISA 702 program.

+++

DWT's Privacy and Security team regularly advises clients regarding international data transfers and will continue to closely monitor developments with the Framework.