12 minute read | July.10.2023
The European Commission today approved the long-awaited framework for data transfers to the United States.
What is the decision about?
Today's decision means that organisations subject to the GDPR can benefit from an adequacy decision for transfers to companies in the United States that certify their participation in the EU-US Data Privacy Framework ("DPF").
An adequacy decision from the European Commission facilitates the transfer of personal data from the EU to third countries. Subject to limited exceptions, the GDPR prohibits these transfers in the absence of adequate safeguards that ensure a comparable level of protection of personal data to that of the EU. The adoption of an adequacy decision in respect of a third country indicates that, in the opinion of the European Commission, that third country offers a level of protection for personal data that is aligned with the requirements of the GDPR, meaning that parties to a data transfer do not need to put in place additional safeguards to ensure that the transfer complies with the GDPR.
The EU Commission has found that data transferred to companies located in the United States which have joined the DPF is subject to a standard of protection which is essentially equivalent to that of the European Union.
Do only companies signed up to the DPF benefit from the decision?
While the decision of the EU Commission has only direct (beneficial) effect for those companies signed up to the DPF, the decision will likely also have a significant beneficial impact for all the companies relying on the Standard Contractual Clauses ("SCCs") issued by the EU Commission or the Binding Corporate Rules ("BCRs") approved by EU data protection supervisory authorities under the GDPR.
In its judgment in the Schrems II case, the European Court of Justice identified significant issues arising under U.S. laws that undermined the ability of parties transferring personal data to recipients in the United States to guarantee a data protection standard essentially equivalent to that in the European Union. In particular, the CJEU found the ability of the U.S. intelligence community to access data under Section 702 of the Foreign Intelligence Surveillance Act ("FISA 702") and Executive Order (EO) 12333 was potentially excessive and lacking appropriate oversight and legal redress.
Today's adequacy decision relies to a large extent on the changes to U.S. law implemented by Executive Order (EO) 14086. EO 14086 introduces new binding safeguards to limit access to data by U.S. intelligence authorities and establishes an independent and impartial redress mechanism to investigate and resolve complaints regarding access to data by U.S. national security authorities.
The adequacy decision confirms that, at least in the opinion of the European Commission, the measures put in place through EO 14086 are sufficient to address the concerns raised by the CJEU. As a result, it would be difficult for an EU data protection supervisory authority to argue that a transfer of personal data to a recipient in the United States on the basis of the SCCs or BCRs would not benefit from a sufficient level of data protection. Suspending a transfer or issuing a fine against a company relying on the SCCs or BCRs to transfer personal data to the United States would likely require a challenge to the Commission's adequacy finding itself.
Are Transfer Impact Assessments still required?
If companies cannot or do not want to rely (solely) on the DPF to transfer data to a company that has joined the DPF, they must continue to perform a Transfer Impact Assessment ("TIA") as required under the Schrems II ruling of the CJEU. However, as outlined above, it will be easier to justify a positive TIA as even the EU Commission finds the Executive Order (EO) 14086 as implemented into U.S. law to have sufficiently addressed the concerns raised by the CJEU.
Are Data Transfers to the United States now safe?
Companies relying on the DPF are not at risk of fines for data transfers to the United States for as long as the DPF adequacy decision is not lifted by the CJEU. All E.U data protection supervisory authorities are bound by the decision of the EU Commission under European law. However, EU data protection supervisory authorities are required by law to challenge the decision pursuant to national member state law should they disagree with the EU Commission.
The DPF decision also shields companies relying on the DPF from damage claims initiated before national courts. National courts would have to call on the CJEU should they consider the adequacy decision by the EU Commission to be invalid.
Does the DPF solve the problem once and for all?
Likely not. The prospect of surveillance authorised under FISA 702 and Executive Order 12333 are long-standing concerns with transfers of personal data to recipients in the United States by organisations subject to the GDPR. Both were key issues raised in the Schrems I and Schrems II judgments that invalidated Safe Harbor and Privacy Shield respectively.
Although the DPF and EO 14086 mark a significant step forward, the DPF has been criticised by the European Data Protection Board and the European Parliament as not going far enough in addressing the underlying issue of bulk data collection by U.S. law enforcement authorities. Although the Executive Order refers to principles of "proportionality" and "necessity" that are familiar to EU law, their interpretation is still grounded in a different legal system. While the words themselves might be the same, the European Parliament's view was that their application in the United States will look very different to how these terms are applied in the EU. Combined with the fact that decisions by the new Data Protection Review Court would be classified and not public or available to the complainant, the view from the European Parliament and the European Data Protection Board seems to be that the measures adopted in the Framework would be effective on paper but, in reality, would pay little more than lip service to the concerns raised by the CJEU in the Schrems judgments.
As a result, a new challenge of the DPF decision is expected, and there is a clear risk that the decision might face the same fate as the Safe Harbor Framework in 2015 and the Privacy Shield in 2020.
Do companies in the United States have to sign up to the DPF?
U.S. companies on the receiving end of GDPR data transfers now have a genuine choice between continuing to rely on Standard Contractual Clauses and certifying to the new DPF. Companies already signed up to the Privacy Shield will likely be offered an easy transition to the DPF.
Should U.S. companies sign up to the new DPF?
There are certainly practical advantages to the DPF over relying on SCCs; however, the DPF is not simply a replacement for the SCCs, and there may be valid reasons for parties to continue using SCCs rather than relying solely on the DPF:
|Scope||The DPF solely applies to data transfers to the United States.||The SCCs can be relied on for data transfers to any third country including the United States. The SCCs can also be included in and may be more appropriate for a "wider contract", such as an Intra-Group Agreement for Data Transfers covering a variety of jurisdictions.|
According to the U.S. Department of Commerce ("DoC"), "the EU-U.S. DPF will not create new substantive obligations for participating organizations with regards to protecting EU personal data [compared to the EU‑US Privacy Shield Framework]. The privacy principles […] will remain substantively the same."
These provisions under these principles can differ from requirements under the GDPR. Consequently, The DPF includes some obligations which are not as stringent as their equivalent under the SCCs or at least leave room for interpretation to that effect. For example:
In general, the obligations set out under the SCCs largely mirror the requirements under the GDPR. For example:
|TIA||As stated above, no TIA will be required when relying on the DPF.||A TIA will be required when relying on the SCCs. However, as mentioned above, Executive Order 14086 also applies to transfers based on the SCCs and will thus be helpful for the successful completion of a TIA.|
|Efforts to put in place||According to the DoC, "the process to self-certify and re-certify annually will remain substantively the same" compared to the EU-US Privacy Shield Framework. Consequently, it will require some effort to put together the necessary information for the self-certification, and the application processing by the DoC could take some time. Certification may therefore require more initial effort and investment of time and resources than entering into an SCCs, although the DoC
has previously stated that it intends to make it easier for companies which are still certified under the EU‑US Privacy Shield Framework.Once certified, the DPF would potentially allow for a smoother contracting process, removing the need to bulk out contracts with additional transfer clauses or negotiating the optional or customisable provisions in the SCCs.
|Compliance with the SCCs may also require an initial investment to put in place the processes and frameworks to ensure that the recipient can comply. However, the SCCs is simply a contractual arrangement with no official certification process. Companies therefore have more control over timelines and how they go about complying with their contractual obligations in the SCCs.|
|UK Data||In general, the DPF only applies to personal data subject to the EU GDPR. However, the UK and the United States are working on establishing a UK extension to the DPF which would allow for it also apply to UK personal data. The timeline for establishing this "Data Bridge" is unclear, but should be relatively swift following the EU's decision. It is also unlikely that the ICO would take action against companies relying on the DPF in advance of an agreement on the UK extension.||The SCCs can be easily extended to personal data subject to the UK GDPR by adding the International Data Transfer Addendum as officially published by the UK ICO.|
|Longevity||It is a truth universally acknowledged that the DPF will be subject to legal challenge, and if the DPF suffers the same fate as its predecessors then organisations that certify to the DPF could easily find themselves having to repaper all of their data sharing agreements again with SCCs.||Apart from setting out additional requirements, such as the performance of a TIA, in its Schrems II judgment, the CJEU explicitly stated that the validity of the SCCs was not affected. It is therefore unlikely that the SCCs would be invalidated in the near term.|
|External Perception||Certification signals a serious commitment to data privacy which is likely beneficial from an external perception standpoint. This would also be based on fewer companies likely relying on the DPF compared to the SCCs.|
Four years before the CJEU invalidated Privacy Shield, the European Data Protection Supervisor stated that "the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the Court". In several years' time, it is possible that we could be viewing the criticism of the DPF mentioned above by various European bodies as a similar moment of dramatic irony.
It should also be taken into account that the CJEU invalidated the EU-U.S. Privacy Shield Framework with immediate effect and did not provide companies with any grace period to switch to an alternative transfer mechanism.
In light of this legal uncertainty, companies who are currently relying on the SCCs or BCRs are unlikely to move over entirely to the DPF and overhaul their existing contractual commitments.
However, as set out above, the DPF can provide certain benefits over the SCCs, particularly for companies in the United States that receive personal data from a large volume of clients in the EU and are looking to streamline their contracting process in the short term. Also where the efficiencies promised by the DPF outweigh the legal uncertainty, it may well be sensible to rely on the DPF by itself.
 Article 288(4) of the Treaty on the Functioning of the European Union