The EU-US Data Privacy Framework has been adopted, what now?

Vita Zwaan & Jacob van de Velde & Sarah Stapel
26 Jul 2023

The obstacles surrounding transfers of personal data to the United States are well-known. With a recent decision from the European Commission, however, some needed legal certaintyis provided.

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of this decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.

The consequences of this adequacy decision are summarized in blog post.

Background: Schrems II

In 2021, the Court of Justice of the European Union (“CJEU”) invalidated the adequacy decision for transfers to the US at that time, the Privacy Shield. According to the CJEU, US law provided insufficient safeguards against surveillance by US intelligence agencies. Since this judgment in Schrems II­, transfers of personal data to the US were only allowed with the use of trasnfer mechanisms, such as Standard Contractual Clauses (“SCCs”). Moreover, additional safeguards were deemed necessary on top of these SCCs, as the CJEU decided that those alone would provide inadequte protection. As a result of this judgment, it was practically impossible to transfer personal data to the US in full compliance with the General Data Protection Regulation (“GDPR”).

What does the Data Privacy Framework entail?

The European Commission has welcomed the successor to the 2020 Privacy Shield. This decision follows an Executive Order of President Biden, which includes additional safeguards for the protection of European personal data. The most important changes are as follows:

  1. US legislation now includes binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
  2. There now is enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
  3. An idependent and impartial redress mechanism has been established, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.

US companies can certify their participation in the Data Privacy Framework by committing to comply with a detailed set of privacy obligations. This includes principles of purporse limitation, data minimisation, and data security. The US Department of Commerce will process applications for certification and monitor whether participating companies continue to meet the certification requirements. Registration will be possible via the website of the US Department of Commerce. The US Federal Trade Commision will enforce compliance by US companies with their obligations under the Framework.

What are the consequences?

Current transfer mechanisms stay valid: as far as SCCs or similar transfer mechanisms for transfers to the US are used, these remain valid. Namely, the safeguards adopted by the US government also apply to these mechanisms. In this case, we advise evaluating whether additional safeguards are also necessary, considering that data exporters should take into account the assessment conducted by the Commission in the Adequacy Decision.

Adequacy decision as an alternative mechanism: as far as a party has a relationship or enters into a new relationship with US companies for data processing, the transfer of data can be based on the Data Privacy Framework. Please note that thisis only possible in the case that these companies actually participate in the Framework.

A long-term solution?

According to the privacy activist, Max Schrems, who successfully fought the validity of the successors to this adequacy decision, the Data Privacy Framework should also be invalidated. He writes that the Framework is a factual copy of the Privacy Shield and does not include sufficient safeguards against US surveillance. His foundation, none of your business, has already announced to challenge the adequacy decision before the CJEU. The foundation expects that the CJEU will either invalidate the decision or provide more clarity about the enforcement thereof within about two years.

In short, for at least the coming two years you can rely upon the validity of the Data Privacy Framework.

What are the next steps?

The various transfer mechanisms can be combined. As such, we advise to keep using SCCs for existing relationships. On top of the SCCs, it cannot hurt that the US company also participates in the Data Privacy Framework.

For new relationships, it is sufficient if the US company is a participant to the Framework. You can view the list of participants on this website. However, considering the uncertainty about the adequacy decision as a long-term soluiton, we also advise to rely on SCCs. Until the certification process is up and running, we note that it is necessary to use SCCs or a similar mechanism.

The European Data Protection Board (“EDPB”) has recently published an information note on data transfers to the US following the adequacy decision. When the EDPB and/or the Dutch Data Protection Authority publish(es) any further guifance, we will post an update on our website.