EU Commission adopts adequacy decision on EU – US Data Privacy Framework

On the 10th of July 2023, the EU Commission adopted its adequacy decision (the “Decision”) for the EU- US Data Privacy Framework (the “DPF”) through which it concluded that those US companies which subscribe to the DPF and adhere to its provisions will ensure an adequate level of protection, comparable to that of the EU, for personal data transferred from the EU to U.S. companies. The DPF provides for a new mechanism to allow the transfer of personal data to those U.S. companies participating in the DPF, without having to put in place additional data protection safeguards. The full text of the decision is available here while the European Data Protection Board’s (the “EDPB”) opinion on the Commission Draft Implementing Decision on the DPF is available here.

The issuance of this Decision and adoption of the DPF stems from the Schrems II decision issued by the European Court of Justice (“ECJ”) on the 16 July 2020, which had invalidated the EU-US Privacy Shield, the predecessor of the DPF. This was a legal framework designed to regulate exchanges of personal data for commercial purposes between the EU and the U.S., and which aimed to facilitate the process through which U.S. entities received data from EU entities.

The main points to note in relation to the DPF are:

  1. The DPF is based on a system of certification by which U.S. organisations are able to commit to a set of privacy principles (the “Principles”). One of the main aspects is that an organisation which is certified must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT).
  2. The DPF establishes principles relating to processing of personal data that are akin to those established under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”), thus providing EU citizens with greater legal certainty regarding the manner in which their personal data will be processed by US companies adhering to the DPF.
  3. The U.S. Department of Commerce (the “DoC”) will be responsible for administering and monitoring the DPF and in this respect, the DoC has undertaken certain commitments to ensure that organisations which declare that they will adhere to the DPF are in fact adhering to such requirements. In particular, the DoC is empowered to carry out random ‘spot checks’ of randomly selected organisations on its own initiative, as well as ad hoc ivnestigations of specific organisations where potential compliance issues are identified. The U.S. Federal Trade Commission and the U.S. Department of Transportation are then empowered to carry out investigations and enforce compliance with the Principles.
  4. The DPF requires entities which adhere to it to provide individuals with effective remedies in those situations where there is non-compliance. EU data subjects have the opportunity to lodge complaints with (i) the EU-U.S. DPF organisations; or (ii) independent dispute resolution bodies (either in the United States or in the Union) designated by an organisation to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous); or (iii) national DPA in the Union, which may make use of their investigatory and remedial powers under GDPR.
  5. Finally, the U.S. government has provided assurances that the processing of personal data pertaining to EU data subjects and its subsequent use by U.S. public authorities will be subject to applicable limitations and safeguards as outlined in further detail in Annex VI to the Decision.

What does this mean for EU Data Subjects?

The adoption of the Decision signifies the EU Commission’s support towards the DPF, which promises to provide a solid framework for ensuring that US organisations respect EU Data Subjects rights and in the words of Commissioner for Justice, Didier Reynders, “to ensure safe and free transfers of data across the Atlantic. It ensures the protection of individual rights in our intangible and interconnected digital world, where physical borders do not matter much anymore.[1]

According to the EU Commission, this in turn is expected to have a knock-on effect in ensuring that continued data flows resulting from cross border commerce with a value of close to €1 trillion a year are properly protected.

In practice?

Although it is already under scrutiny by ‘NOYB’, a European non-profit organisation headed by Max Schrems, with NOYB indicating that it would be challenging the DPF before the ECJ, the DPF certainly represents a step forward in the right direction by facilitating EU-US data transfers, while still maintaining important safeguards in place to protect personal data.

Naturally, there has not yet been opportunity to see the DPF operate in practice and through its opinion, the EDPB has already called on certain elements to be clarified to ensure that this method of transatlantic data transfers will ensure. Nevertheless, it is expected that measures contained in the framework agreement represent a step forward by ensuring greater protection for EU data subjects rights, while at the same time ensuring that personal data can flow freely and safely between the EU and participating US entities.

[1] Didier Reynders, Commissioner for Justice – 10/07/2023