On 10 July, the European Commission announced the adoption of their adequacy decision for the EU-US Data Privacy Framework (the DPF), meaning that the free flow of personal data to the US can now resume, at least to US companies participating in the DPF.
There was significant political and commercial imperative for an EU-US data flow deal, as evidenced by the overwhelming vote in favour of the DPF at the meeting of EU countries’ representatives last week(with 24 voting in favour of the decision, just three abstentions and none voting against).
Concerns had previously been expressed by the European Parliament and the EDPB, with much of the criticism focusing on the lack of implementation of aspects of the Executive Order (EO) (discussed in our previous blog) that were to underpin the DPF. However, the US’s Secretary of Commerce, Gina Raimondo, confirmed last week that the US had fulfilled these commitments, including by designating the EU/EEA (and Ireland, Liechtenstein and Norway) as ‘qualifying states’ under the redress mechanisms provided by the EO and through the US intelligence community adopting implementing policies and procedures pursuant to the EO.
What does this mean for EU and US organisations in practice?
For data to be transferred freely under the terms of the DPF, US importers must have committed to complying with the DPF principles, through an application process administered by the US Department of Commerce. For organisations transferring to US importers already certified under the previous US Privacy Shield framework (invalidated by the CJEU in the 2020 Schrems II decision and discussed in our 2020 blog), US importers will at least need to update their current compliance programmes to reflect the new DPF. This will include ensuring compliance with the new DPF principles and updating privacy policies to refer to the DPF principles (rather than the Privacy Shield principles) within three months of the DPF adequacy decision. It is expected that the privacy principles under the DPF and the process to self-certify and re-certify annually will remain substantively the same, but further details will be available on the new Department of Commerce Data Privacy Framework website (which at the time of writing remains under construction).
For organisations transferring data to US importers using SCCs, the DPF adequacy decision should ease the process of completing TIAs going forward, as all the safeguards that have been put in place by the US Government in relation to national security apply to data transfers made via the SCCs (as highlighted by the EU Commission’s Q&A on the DPF). This also applies to organisations that are choosing to hold-off any major compliance programme updates because of the risk of the DPF being invalidated following a challenge (with privacy activists such as NOYB having already publicly stated they will challenge the DPF decision).
The adequacy decision is immediately operational, but it will be subject to periodic reviews by the European Commission, together with representatives of the EU data protection authorities and competent US authorities. The first review is scheduled for 2024 to check that all the relevant elements have been implemented in the US legal framework and are working in practice.
What about organisations making transfers from the UK?
The UK and US announced an agreement in principle for a ‘data bridge’ equivalent to the DPF on 8 June. It is likely that this will be in place by the end of the year, based on the five months taken from last year’s South Korean adequacy assessment to move from agreement in principle (in July) to operative adequacy regulations (in December). In the meantime, however, organisations looking to make UK-US transfers can look to the protections for personal data included in the EO and examined in the EU’s DPF decision as a useful source of reference for their TIA/TRA diligence, particularly as it appears likely that, following the above announcement, the UK will be listed as a ‘qualifying state’ under the EO.