On 10 July 2023, the European Commission adopted a new adequacy decision for the EU-US Data Privacy Framework (“DPF”). This follows the previous invalidation of the Safe Harbor and Privacy Shield schemes under the Schrems cases.
The DPF was made possible after President Biden signed an Executive Order in October 2022 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which addresses the concerns raised by the European Court of Justice (“ECJ”) in its Schrems II decision of July 2020. It provides for safeguards that limit access to data by US intelligence authorities to what is “necessary and proportionate” to protect national security and includes enhanced oversight by US intelligence services to ensure compliance with limitations on surveillance activities.
The decision finds that the US ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from the EU to US companies that have self-certified under the new framework. On the basis of the new adequacy decision, personal data can be transferred from the EU to US companies that participate in the Framework, without the need for additional data protection safeguards such as standard contractual clauses (“SCCs”) and without the need to conduct a transfer impact assessment (“TIA”).
EU individuals will have access to redress if their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.
US companies can join the DPF by committing to comply with a detailed set of privacy obligations. This will include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.
The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as SCCs and binding corporate rules.
The Framework is administered and monitored by the US Department of Commerce. The US Federal Trade Commission will enforce US companies’ compliance.
What about the UK?
As a result of Brexit, the DPF only applies to personal data that is subject to EU GDPR and does not apply under UK GDPR. However, in June 2023, the UK and the US agreed to establish a UK Extension to the Data Privacy Framework, that will create a ‘data bridge’ between the two countries. Now that the DPF has been adopted, this should go live in the near future.
So, what happens next?
But will the new DPF survive any future challenge such as a possible Schrems III? Some have commented that the DPF is not materially different to the failed Privacy Shield. We think that a challenge is likely but shall have to wait and see.
But, at least for the time being, EU and US firms can take advantage of the DPF as a more straightforward transfer mechanism than implementing SCCs and without the need to conduct a TIA. For those that do, updates will be required to their privacy notices to reflect this. For organisations that continue to rely on SCCs, TIAs can take account of the beneficial impact of the changes to US surveillance laws.