Good Things Come in Threes: European Commission’s Third Attempt to Facilitate EU-U.S. Data Transfers

The European Commission (EC) has, for the third time, secured data flows to the United States with its highly anticipated adequacy decision regarding the EU-U.S. Data Privacy Framework (DPF). This major development follows two European Court of Justice (ECJ) decisions that struck down the DPF’s predecessors, the Safe Harbor (2015) and the Privacy Shield (2020), because of concerns with U.S. government surveillance and the lack of judicial redress for EU individuals. Starting on July 11, 2023, the adequacy decision allows for personal information to be transferred to U.S.-certified companies under the DPF. The adequacy decision also has an indirect but important bearing on transfers based on other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.

How did the decision take shape?

After the agreement between the Biden administration and the EC’s President von der Leyen on a new trans-Atlantic Data Privacy Framework in March 2022, the U.S. President issued Executive Order (EO) 14086 to address the issues raised by the ECJ in its“Schrems II” ruling (see our client alert). In EO 14086, the United States made commitments around the DPF allowing the EC to launch the adequacy decision process. The DPF consists of three components: (i) the commitments made by the U.S. government in respect of personal information from the EU; (ii) a new structure to provide redress for EU individuals; and (iii) a certification to which U.S. data importers can commit (see our client alert).

A committee composed of the representatives of the various Member States voted positively on the draft adequacy decision on July 10, 2023, marking the final mandatory step before the EC adopted the adequacy decision. A few days before the vote, the U.S. Department of Commerce (DoC) issued a statement to confirm that U.S. intelligence agencies had completed their commitments under the EO 14086 and that the Attorney General had designated the EU and the EEA States as “qualifying states” whose individuals can seek redress through the DPRC established under the EO 14086 and its implementing regulations.

The Adequacy Decision – what does it mean for companies?

The EC believes that the DPF addresses the concerns raised by the ECJ by: (i) limiting the scope of U.S. surveillance activities to what is necessary and proportionate; and (ii) establishing the DPRC to provide a means of redress for EU individuals from an independent tribunal.

With the adoption of this adequacy decision, those companies that have certified compliance with the DPF in the United States are deemed to ensure an adequate level of protection for personal information, as assessed against EU standards. U.S. companies that have certified under the DPF can now use the DPF as legal basis for transfers of personal information from the EU, with no further requirements for authorizations or conditions. This includes not having to conduct a transfer impact assessment or having to implement supplementary measures. The adequacy finding in that sense is “stand-alone.”

The United States has indicated that its commitments under the DPF apply to all transfers of personal information made from the EU, regardless of the transfer mechanism. In other words, in order for the commitments from the United States to apply, all that matters is that personal information has been transferred from the EU. Any legal bases used to legitimize the transfer under EU rules do not, as far as the U.S. commitments are concerned, affect the protections afforded by EO 14086 and the availability of the DPRC. This means that, from the U.S.’s perspective, transfers made under EU Standard Contractual Clauses (SCCs) or EU Binding Corporate Rules (BCRs) receive the same treatment and level of protection as personal information transferred under the adequacy decision of the DPF. While the EC’s adequacy decision does not discuss this broad application, the EC does explicitly recognize and confirm this in the Q&A it published on the DPF on July 10, 2023. Several data protection authorities such as the CNIL (France) and the Datatilsynet (Denmark) have also confirmed this.

What does this mean for Transfer Impact Assessments and supplementary measures?

Following the Schrems II decision, European data protection authorities require companies to carry out transfer impact assessments (TIAs) for any transfers to jurisdictions outside of the EU that are based on SCCs or BCRs. As part of the TIA, companies have to assess the impact of foreign laws on personal data transferred and determine whether any supplementary measures are required to ensure adequate protections for such data. For transfers to the United States that are based on SCCs or BCRs, a TIA will still be required. However, as we observed in our MoFo minute, any such TIA should be able to benefit from the commitments made by the United States under EO 14086 and the recognition thereof by the EC in its adequacy finding and FAQs. As a result, no further supplementary measures should be required. With respect to transfers made pursuant to the DPF, there is no requirement to do a TIA in the first place (and thus also no requirement to assess or add any supplementary measures), because the EU has deemed the DPF to be adequate.

How can U.S. companies (re-)certify for the DPF?

Companies that want to participate and benefit from the DPF must certify by publicly declaring their commitment to the DPF principles, include those commitments in their publicly available privacy policies, and implement those principles. U.S. companies can import EU personal information from the moment they are on the list maintained by the DoC attesting that they certified. Companies that were certified under the Privacy Shield, are automatically transferred to the DPF certification list and should update their privacy policy and commit to the DPF principles within three months. As with the Privacy Shield, only companies that fall under the investigatory and enforcement powers of the Federal Trade Commission (FTC) and the DoC are allowed to certify under the DPF (which thereby excludes, for example, banks or insurance companies). For transfers from the UK and Switzerland, starting on July 17, 2023, companies will be able to certify under the DPF “extension,” which will allow U.S. companies to also benefit from the DPF for transfers from the UK and Switzerland. From that date, companies have 3 months to update their policies with the appropriate references. For the UK extension, companies can participate as part as their annual re-certification process or outside of it if they make that choice within six months. The UK extension is only available to companies taking part in the DPF (while this is not required under the Swiss extension). These transfers will, however, only be allowed once these countries have adopted their adequacy decisions. Privacy Shield companies will have three months to re-certify to the DPF, after which the Privacy Shield certification will cease to exist. More details and guidance on the certification and re-certification process is provided by the DoC on the DPF’s website.

The adequacy decision will be reviewed by the EC every four years. The first review is scheduled for next year. If it finds in this review that the DPF does not provide an adequate level of protection, the EC has the ability to suspend, amend, or repeal the adequacy decision or to limit its scope.

Max Schrems, who challenged the Privacy Shield that lead to the ECJ’s Schrems II decision, has indicated that he will challenge the adequacy decision of the DPF in national and EU courts. However, it will likely take several years for such case(s) to ultimately be brought before and decided by the ECJ. Until such time, the DPF adequacy decision will remain in place.