On 10 July 2023, the European Commission adopted an adequacy decision for a lawful data transfer from the EU to the USA for the third time. This means that personal data may again be lawfully transferred to the US. This will facilitate the use of US service providers for EU companies.
Background
The recent adequacy decision is based on the EU-US Data Privacy Framework ("DPF") that US president Joe Biden and EU Commission president von der Leyen agreed upon back in March 2022. It acknowledges the satisfactory safeguarding of personal data transferred from EU entities to US companies that are parties to the principles of this new EU-US Data Privacy Framework.
This marks the third attempt after the DPF's predecessors – the 2000 Safe Harbour and the 2016 Privacy Shield – were ruled invalid by the European Court of Justice. This decision could potentially end a years-long journey that began back in 2000 with the Commissions' "Safe Harbour" decision.
Improvements
According to the Commission, the recent adequacy decision addresses the main points raised by the ECJ in its Schrems II decision to guarantee appropriate protection of EU inhabitants' personal data in the US. Mainly, the adequacy decision follows an Executive Order of the President of the United States that introduced new binding safeguards to ensure that data can be accessed by US intelligence agencies only to the extent necessary and proportionate and to establish an independent and impartial redress mechanism to handle and resolve complaints from EU inhabitants concerning the collection of their data for national security purposes.
The key principles of the new EU-US Data Privacy Framework include:
- Free and safe data flow: The "adequacy decision" principle allows personal data to flow freely and safely between the EU and participating US companies.
- New binding safeguards: These safeguards limit access to data by US intelligence authorities to what is necessary and proportionate for national security. This principle is in line with President
- Biden's Executive Order in October 2022, and internal procedures of US intelligence agencies have been adjusted to meet these principles as of 3 July 2023.
- Two-tier redress system: A new redress system, including the establishment of a Data Protection Review Court, will investigate and resolve complaints about data access by US intelligence agencies.
- The court, an administrative body under the executive, maintains a level of independence due to its judges appointed by the US General Attorney.
- Self-certification by companies: Companies processing data transferred from the EU must self-certify their adherence to these standards through the US Department of Commerce. The department also monitors ongoing compliance, and the US Federal Trade Commission is tasked with enforcement if these companies fail to uphold their obligations.
- Regular reviews: The European Commission will undertake regular reviews of the Framework, with the first occurring one year after its adoption. These reviews will assess relevant developments in the US and the effectiveness of the legal framework in practice and will take place at least every four years.
Effects of the recent decision
To qualify for a data transfer based on the adequacy decision, US companies must self-certify under the DPF and declare compliance with the DPF, including by updating their privacy policies. The DPF will be governed by the US Department of Commerce ("DoC"), which will process the certification applications. US entities that have already certified compliance with the (then applicable) Privacy Shield principles and still have an active certification may begin relying immediately on the DPF. The DoC also monitors whether these companies continue to meet the certification requirements. A website dedicated to the DPF, which also provides for the possibility to self-certify, has already been launched.
Following the recent adequacy decision, the transfer of personal data from the EU to the US is deemed lawful. This means that the use of service providers based in the US is, in principle, possible again. However, the European entity (controller) must ensure that certain conditions are met before the transfer. In particular, the European controller is obliged to ensure that the data processing, which also includes the transfer, fulfils the following criteria:
- based on a lawful legal basis pursuant to Art 6 or 9 GDPR;
- the main principles of the GDPR under Art 5 are met;
- data protection by design and default is implemented pursuant to Art 25 GDPR;
- a data processor agreement pursuant to Art 28 GDPR is concluded with the service provider;
- the security of processing pursuant to Art 32 GDPR is ensured;
- all relevant documentation and assessments are conducted and held available for a possible inspection by the Authority;
- the data receiving US service provider is certified under the DPF.
US-based companies will have to implement internal and external policies and processes if they want to self-certify under the DPF and rely on the adequacy decision for a lawful data transfer. Their privacy policies in particular must be amended to incorporate the new DPF principles and potential existing certifications under the old Privacy Shield must be updated or recertified and the necessary fees paid.
DPF: here to stay?
The European Data Protection Board (EDPB) acknowledged that the new agreement shows "significant improvements" over its predecessors. However, it noted that the GDPR still falls short in some areas of protection. The European Parliament opposed the new agreement, pointing out that it allows a certain level of mass data collection and does not provide adequate data protection safeguards for Europeans (however, not binding on the EC). At the same time, the NGO NOYB announced its intention to challenge the decision again, criticising it as "essentially a repeat of the Privacy Shield".
It therefore seems crucial to maintain an alternative for engaging US providers, as a third potential annulment of the adequacy decision by the European Commission could abruptly disrupt enterprise-wide data processing (again). As this process continues, we will keep you updated on further steps to ensure the safe and unimpeded flow of data between the EU and the US. In the meantime, please do not hesitate to contact us if you require assistance in preparing the necessary aspects for an immediate, compliant data transfer.
By Veronika Wolfbauer, Counsel, and Florian Terharen, Associate, Schoenherr