On 10 July 2023, after three years of trans-Atlantic negotiations, the European Commission adopted its eagerly awaited adequacy decision under the EU-US Data Privacy Framework (DPF).

The decision concludes that, with immediate effect, the United States provides an adequate level of protection to personal data transferred from the EU to US companies certified under the DPF.

The decision comes at an opportune time for EU-US data flows as businesses prepare for increasing regulation in the technology space, with the AI Act and Digital Services Act (DSA) at the forefront. While the decision is welcome for ‘business as usual’ between the EU and US, key actions are needed in the short term to make it work, particularly on the US side of the deal.

This article outlines the headline issues businesses need to understand for EU-US transfers.

Adequacy Decision – What’s Changed?

According to Commissioner Reynders, the DPF is “substantially different” from its predecessor, the EU-US Privacy Shield (and, by extension, the previous Safe Harbour regime). Importantly, the DPF introduces new and legally binding safeguards for EU personal data transferred to the US to address concerns outlined by the European Court of Justice (CJEU) in its Schrems II decision that invalidated the use of Privacy Shield as a compliant transfer mechanism.

As previously outlined (see our article here), some key features of the DPF are:

1. Personal data flowing freely and safely between the EU to DPF-certified US companies. As such transfers will be pursuant to “adequacy” under Article 45 GDPR, there will be no requirement to conduct data transfer impact assessments (DTIAs);
2. Legally binding safeguards limiting access to personal data by US intelligence agencies to that which is necessary and proportionate;
3. Adoption and implementation of policies and procedures by US intelligence agencies;
4. A new two-tier redress system to investigate and resolve complaints of European citizens on access to data by US intelligence authorities – such as the Data Protection Review Court;
5. Built-in monitoring and review mechanism by the European Commission and other authorities to ensure the effectiveness of the DPF

Key Actions: What Happens Next?

 There are key actions as follows in respect of the DPF:

1. The adequacy decision does not have an expiration date under the terms of the Commission’s decision. However, it will be periodically reviewed in conjunction with representatives of European data protection authorities and competent US authorities. The first review date will be in July 2024 to ensure that the US legal framework of the DPF is fully implemented.
2. US intelligence agencies must comply with the terms of President Biden’s Executive Order that necessitates implementing its requirements (see our previous article here).
3. The DPF is only available to US businesses regulated by the US Federal Trade Commission or the US Department of Transportation. It is expected that any US-based businesses that maintained a Privacy Shield certification (since its invalidation in the Schrems II decision) will be “first in line” for self-certification under the DPF, once they meet its seven principles.
4. The Commission will monitor legal developments in the US and maintain a discretion to suspend, limit or annul its decision should the legal framework in the US fall below the standard of “essential equivalence” provided to personal data in the EU.
5. The European Commission will attend the European Data Protection Board’s (EDPB) next plenary meeting. They will discuss the final text of the DPF / adequacy decision and changes following the EDPB’s opinion in February 2023. The Commission’s decision is binding, so no changes can be made now that it is in force; however, the EDPB’s position on the decision will bear “weight” for businesses subject to the GDPR, particularly any guidance regarding DTIAs and supplementary measures.

What About Businesses Not Using the DPF?

The safeguards implemented by the US government for the DPF regarding national security and redress mechanisms apply to all EU-US transfers, not only those legitimised under the DPF. However, the “free flow” of data only applies for EU-US transfers where a US business is certified under the DPF. This means that other transfer mechanisms, such as the standard contractual clauses and binding corporate rules, remain legally necessary where a US business is not certified under the DPF.

The requirement to conduct DTIAs also remains for existing and new EU-US transfers of personal data (including any other “third countries” without adequacy decisions).  However, applying the Commission’s US adequacy decision is expected to streamline the DTIA process particularly regarding assessments about US intelligence laws and practices and the resulting need (if any) for “supplementary measures”. It is expected that the EDPB will provide clarity for EU-US transfers which are not subject to the DPF.

Conclusion

At a time of increased regulation in the European technology space, we welcome this decision which benefits all EU-US data transfers (legitimised under the DPF and other transfer mechanisms). As the Commission stated, it paves the way for safe and secure data flows to ensure a sustainable economic relationship between the EU and US. While the goal of the decision is to ensure that the CJEU standard of “essential equivalence” travels with EU personal data, it is important to remember that the US remains a “third country”, and so companies must ensure continued compliance with the GDPR when it comes to data transfers, particularly as they navigate new laws such as the AI Act and DSA.

If you have any queries about these developments, please contact David Cullen or Rachel Hayes.

Contributed by Conor Beirth