Yesterday, 10 July 2023, the European Commission confirmed the EU-US Data Privacy Framework (EU-US DPF) by adopting an adequacy decision. Companies participating in the EU-US DPF will now be deemed to be adequate and secure recipients of personal data. Transfers of personal data from the EU to participating companies in the US will no longer require prior Transfer Impact Assessments (TIAs), Local Law Assessments (LLAs) of complex areas of foreign laws, additional safeguards (such as further security measures) or standard contractual clauses (although lighter forms of data processing agreements or data sharing agreements will still be required).
This is a hugely significant step towards restoring legal certainty in EU-US data exports, and therefore transatlantic digital trade. However, the EU-US TDPF may have an expiry date, as legal challenges to its validity by privacy activists are certain. Thinking about EU data exports to other parts of the world? Strangely, EU data exporters and importers will need to continue running TIAs and LLAs and put standard contractual clauses in place to transfer EU personal data to other countries outside the European Economic Area (EEA) that have not been found by the EU to be "adequate," i.e. the vast majority of countries around the world.
At the time of writing this client alert, the UK government has not confirmed its position, but it is difficult to see how the UK will not reach a similar US adequacy decision soon.
Nearly three years ago, on 16 July 2020, the Court of Justice of the European Union (CJEU) in its Schrems II judgment overturned with immediate effect the Commission's adequacy decision on the EU-US Privacy Shield, a widely used legal mechanism for lawfully exporting personal data from the EU to the US (for more background, check out our client alert here). As a result, EU data exporters and US data importers had to rely on the EU standard contractual clauses to legitimize the data exports, having previously carried out a detailed TIA (including an LLA of the country of destination) and implement additional safeguards i.e., additional technical and organizational security measures before personal data could be lawfully transferred from the EU to the US. The decision led to considerable legal uncertainty around one of the most basic day-to-day operations of international digital businesses, i.e., the ability to transfer data to group companies, service providers and business partners in other parts of the world. In that sense, the CJEU and the EU data protection authorities missed every opportunity to provide organizations with effective tools for transferring personal data from the EU to the US. Even after the Commission promulgated its shiny, brand-new EU standard contractual clauses in 2021, many continued to view transfers of personal data from the EU to the US as failing to meet the legal standard set forth in Schrems II. This was an impossible state of affairs in the light of the simple fact of life that most organizations rely on US-based tech and cloud companies to process the personal data of EU residents.
Unlike their response to the Schrems I decision, in which the CJEU overturned the EU-US Safe Harbor, the predecessor of the Privacy Shield, EU politicians took considerable time to respond to the Schrems II judgment by adopting the adequacy decision for the EU-US DPF. The latest adequacy decision addresses the two major criticisms that the CJEU had in relation to transfers of personal data from the EU to the US:
The US government had addressed both of those concerns in Executive Order 14086, "Enhancing Safeguards for United States Signals Intelligence Activities", which President Biden issued on 7 October 2022. The first point of contact for EU residents who wish to challenge access to their personal data is now the Civil Liberty Protection Officer, who is responsible for ensuring compliance of the US intelligence services with fundamental and data protection rights. Its decisions can now be appealed to a completely new and independent court, the Data Protection Review Court.
These measures were sufficient to secure the support of the EU member states. After several rounds of deliberation, the EU took the last necessary step to complete the agreement with yesterday's adequacy decision (see here for the Commissions' press release).
As under the previously invalidated Privacy Shield agreement (and its predecessor, Safe Harbor), US companies must demonstrate compliance with data protection requirements and be certified as compliant before they (and EU data exporters sharing data with them) can rely on the EU-US DPF. The United States Department of Commerce (DoC) will be responsible for handling the certification procedures. It is expected that the DoC will react promptly and announce the certification process soon.
If a company is then certified according to the EU-US DPF, it becomes for all practical purposes an adequate data recipient according to Art. 44, 45 GDPR. A data transfer to this recipient does not require a TIA, LLA, additional safeguards or standard contractual clauses.
We can reasonably expect all major US data importers, including tech, cloud and AI companies and service providers to soon announce their certification under the EU-US DPF.
Despite this massively positive development, it may be premature for companies to terminate their existing standard contractual clause agreements. Although the EU and US governments are now confident, they have created a legally secure framework for EU-US data transfers, they were also confident in the frameworks for transferring personal data from the EU to the US before the Schrems I ruling in 2015 (which invalidated the Safe Harbor) and the Schrems II ruling in 2020 (which invalidated the Privacy Shield).
Perhaps unsurprisingly, the data protection platform "NOYB," founded by Max Schrems (the namesake of the Schrems I and Schrems II decisions), has also already criticized the Commission's adequacy decision. In the view of NOYB, which sees itself as a mix of consumer protection organization and data protection activists, the EU-US DPF does not meet the requirements of the GDPR. The adequacy decision will therefore likely be "back at the Court of Justice (CJEU) in a matter of months" (see here for the NYOB’s statement).
Whether the EU-US DPF will stand up to judicial scrutiny is likely to be the subject of heated debates in the data protection community in the coming weeks. Therefore, for most organizations the optimal approach to futureproofing their EU-US data export arrangements is likely to ensure certification under the EU-US DPF to eliminate the need for TIAs, LLAs and additional safeguards every time they wish to carry out a new data export—but at the same time retaining their standard contractual clauses so that they (hopefully) have a safety net in the event the EU-US DPF is invalidated in the years to come, facing the same fate as its two predecessors.