What does the new Data Privacy Framework adequacy decision mean for US data flows?
Published on 11th Jul 2023
EU and UK companies transferring personal data should check if their US data importers certify under the new framework
Following a vote earlier this week in which 24 EU Member States were in favour of the EU-US Data Privacy Framework (DPF), the European Commission has adopted its adequacy decision for the US based on the new framework. Businesses will be able to benefit from this from 11 July 2023.
After Schrems II
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the previous adequacy decision between the EU and the US in the Schrems II decision. The CJEU held in Schrems II that US law and practice does not provide adequate protection for EU individuals and their personal data. Main points of criticism by the CJEU related to the lack of clear and precise rules for access by US national security agencies to personal data of EU individuals, the lack of any form of proportionality assessment in case of such governmental access, and the lack of effective remedies for data subjects that can be invoked in a court or tribunal.
Furthermore, the CJEU imposed additional obligations on companies transferring data internationally by requiring an assessment that the laws and practices in the receiving country are essentially equivalent to EU law, even if companies rely on the EU standard contractual clauses (SCCs) – so-called transfer impact assessments.
In March 2022, the Commission and the US President Joe Biden announced an “agreement in principle” according to which they were working together on the new DPF to reintroduce an adequacy decision for the US. A key aspect of the new DPF is the Executive Order (EO) 14086, adopted by President Biden in October 2022. EO 14086 addressed the deficiencies of US law identified by the CJEU in its Schrems II decision.
Framework approval
EO 14086 required certain US governmental stakeholders to implement safeguards that it provided, such as updating policies and procedures of national security agencies, establishing the Data Protection Review Court or recognising third countries (like the EU countries) as being entitled to enjoy the protection it granted.
The US Department of Justice and the Office of the US Director of National Intelligence announced last week the completion of this implementation work. On 6 July 2023, the vote of the 24 EU Member States in favour of the adequacy decision based on the DPF – with three abstaining – lead to the final adoption of the adequacy decision by the Commission on 10 July 2023, entering into force on the 11 July 2023.
EU-US data transfers
What does the DPF mean for EU companies transferring data to the US? First of all, US companies that certify under the DPF will be recognised as a third-country data importer providing adequate data protection. As a consequence, for transfers to those certified companies, the burdensome transfer-impact assessments that have become common in the years following Schrems II will be in the past, as will the implementation of additional transfer safeguards and the uncertainty of whether all of this is enough to meet the adequacy threshold under the General Data Protection Regulation. However, it remains to be seen how many US companies will actually certify under the DPF as there are concerns that the new framework will suffer the same fate as its two predecessors, Safe Harbor and Privacy Shield.
Secondly, even for data transfer to US companies that are not certified under the DPF, the adequacy decision will likely have a positive and significant effect. As the Commission has basically confirmed that EO 14086 addresses and compensates the deficiencies of US law as identified by the CJEU, it can now be argued as part of the transfer impact assessment that US law is essentially equivalent, provided that any such transfer to the US relies on the EU SCCs or on Binding Corporate Rules.
The key argument for the transfer impact assessment would be that, with EO 14086, the US has implemented the principle of proportionality. When US national security agencies intend to access personal data, EO 14086 has specified the rules and conditions for such access. And EO 14086 has established a new redress mechanism, which allows EU individuals to bring a claim to the Data Protection Review Court as an impartial tribunal.
As these were the key concerns of the CJEU with respect to US law, companies can take the view that US law is now essentially equivalent. Yet, discussions are likely to continue over whether the EU SCCs will suffice in this transfer scenario or whether – in the lack of a DPF certification – other additional safeguards need to be implemented. This applies as long as the CJEU does not invalidate this adequacy decision again.
Here to stay?
Whether or not the CJEU concurs with the view of the Commission that US law, especially through EO 14086, now provides a level of data protection that is essentially equivalent remains to be seen. It is expected that already in 2024 or a year later the CJEU will need to decide on this question.
The Commission has committed to carry out periodic reviews of the DPF together with the EU data protection authorities and the US authorities. A key aspect will be to confirm that the US government complies in practice with its commitments under the EO 14086. The first review will take place within a year of the entry into force of the adequacy decision. The review shall verify that all relevant elements have been fully implemented by the US government and are functioning in practice.
What about the UK?
While the UK benefited from the previous EU-US Privacy Shield arrangement, the UK has since exited the EU and, therefore, will no longer be covered by this new EU-US Privacy Framework.
It is the case that UK businesses that operate internationally and have EU-based establishments that transfer personal data directly from the EU may feel some benefit (as may any other international business in the same position) as the DPF may at least provide another alternative for legitimising transfers of EU personal data directly from the EU.
This would, of course, require businesses to understand their data sets sufficiently to determine what personal data is flowing from the UK and the EU and assess the risk and specific requirements in relation to each data set separately (assuming the business continued to rely on the UK international data transfer agreement or addendum, or UK SCCs, to legitimise the transfer of the UK data set).
Moreover, UK businesses using UK SCCs and, in turn, having to undertake data-transfer impact assessments (or "transfer risk assessments" to use the UK terminology) may also indirectly benefit from the recognition by the Commission that EO 14086 addresses and compensates for the deficiencies of US law identified by the CJEU in the Schrems II decision – given that the requirement for such assessments derived from that decision (which occurred when the UK was in the Brexit transition period and still subject to EU data protection law.) One can certainly envisage a UK business raising that point if it was subject to relevant legal or regulatory action.
As for a UK-US agreement, the UK government will instead have to agree an alternative arrangement with the US to cover the flow of UK personal data to the US. The UK government has recently published an "Atlantic declaration" with the US, which includes working towards a "data bridge". This was billed in the joint UK-US statement announcing the bridge as a "UK extension to the EU-US Data Privacy Framework", and the FAQs - UK Extension to the EU-US Data Privacy Framework has subsequently confirmed that organisations that "wish to participate in the UK Extension to the DPF must also participate in the EU-US DPF". The key question here remains whether such organisations could continue to rely on the UK extension even if the EU-US PDF was successfully challenged and declared invalid by the CJEU.
Osborne Clarke comment
EU and UK companies transferring personal data to the US should check with their US data importers whether they intend to certify under the DPF and what the timeline is for the certification process.
If US data importers do not intend to certify (which will likely be a great number of US companies at this point), EU and UK companies should update their data transfer impact assessments for the US, including the safeguards provided under the EO 14086 and the adequacy decision by the Commission.
For new data transfers to uncertified data importers in the US, then EU and UK companies should (continue to) rely on the SCCs and verify whether for the specific transfer additional safeguards are still necessary. Naturally, for data transfers to other third countries (including onward transfers from the US), nothing has changed.
This Insight was updated on 8 August 2023.
Keen to find out how the new Data Privacy Framework could benefit your business? Please get in contact with one of our experts below or reach out to your Osborne Clarke contact.