European Commission Approves EU-U.S. Data Privacy Framework
On July 10, 2023, the European Commission adopted a highly anticipated adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”). This decision allows U.S. organizations that were certified under the Privacy Shield to receive personal data transfers from the European Union (“EU”) or European Economic Area (“EEA”) without engaging in additional mechanisms such as the Standard Contractual Clauses.
For U.S. organizations that were not previously certified under Privacy Shield, they can now apply for certification under the Data Privacy Framework through an online application process. The decision became effective on July 11, 2023, and certification applications were made available on July 17, 2023, following the Commission Implementing Decision of 10.7.2023 in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework.
Under the General Data Protection Regulation (“GDPR”), personal data may be transferred from the EU/EEA to a non-EU/EEA country (a “third country”) or a particular sector of the third country if (a) the third country or sector, as applicable, has received an adequacy decision from the European Commission, or (b) the transfer is either subject to approved data transfer mechanisms or covered by an exemption. The European Commission may adopt an adequacy decision for a third country or sector where the European Commission has concluded that the third country or sector ensures an adequate level of data protection comparable to that of the EU/EEA. An adequacy decision will allow personal data to flow freely from the EU/EEA without further conditions or authorizations.
From July 2016 to July 2020, the adequacy decision granted to the EU-U.S. Privacy Shield Framework allowed legal transfers of data from the EU/EEA to the U.S. However, in 2020, the Court of Justice of the European Union struck down the European Commission’s decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield Framework (“Privacy Shield”), stating that the U.S. did not provide adequate protection for personal data of European residents. As a result of that decision, the Privacy Shield Framework was no longer a sufficient basis for compliance with GDPR data protection requirements when transferring personal data from the EU/EEA to the U.S. This meant that such transfers were required to utilize an approved data transfer mechanism, such as the Standard Contractual Clauses (“SCCs”), which has resulted in often cumbersome contractual negotiations for businesses wishing to transfer personal data as well as the requirement to take on additional liability through the SCCs.
Key Features of the EU-U.S. Data Privacy Framework
The Framework requires participating U.S. organizations to comply with certain GDPR principles by informing individuals (“data subjects”) of the nature of the organization’s processing and honoring data subjects’ requests to exercise their rights to access or correct their data or to object to the processing of their data. Participating organizations are also required to implement appropriate technical and organizational measures to comply with their obligations and to demonstrate their compliance to a supervisory authority.
A major factor in the invalidation of Privacy Shield was the potential for bulk surveillance of data in the U.S. by the U.S. government, law enforcement, and intelligence agencies. On October 7, 2022, the White House issued EO 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (“EO 14086”), which created new safeguards governing intelligence gathering practices that align with the GDPR principles of necessity and proportionality of personal data collection. Under the Framework, members of the U.S. intelligence and law enforcement community are required to consider these principles before initiating surveillance activities involving personal data that is subject to GDPR.
The Framework also establishes the Data Protection Review Court (the “Court”) in the U.S. as a new judicial redress system that data subjects can utilize to challenge alleged violations of the Framework principles. The Court will have independent and binding authority and will be empowered to investigate and resolve complaints from any individual whose data has been transferred from the EU/EEA to U.S. organizations about the access to and use of their data by U.S. intelligence agencies. Individuals will not be required to demonstrate that their data was actually collected by U.S. intelligence agencies in order for their complaint to be received by the Court.
Individuals may submit their complaint to their national data protection authority, and complaints will then be transferred to the U.S. by the European Data Protection Board. Complaints will initially be investigated by the newly created Civil Liberties Protection Officer of the U.S. intelligence community, who will be tasked with ensuring the compliance of U.S. intelligence agencies with the privacy rights established in the Framework. Individuals may appeal the decision of the Civil Liberties Protection Officer to the Court. The Data Protection Review Court will consist of non-governmental members who will be appointed on the basis of their specific qualifications and cannot receive instructions from the government. The Court can investigate complaints and make binding decisions, including requiring the deletion of data. As a part of its investigation, the Court will appoint a special advocate with relevant experience to support the Court and ensure that the interests of both the individual and the organization are represented.
It is important to note that the adequacy decision applies only to organizations in the U.S. that have certified compliance to the Framework principles and are included in the Data Privacy Framework List that will be maintained by the U.S. Department of Commerce. Organizations that are not certified under the Framework must continue to rely on approved data transfer mechanisms for transfers of personal data from the EU to the U.S.
Organizations certified under Privacy Shield may begin relying immediately on the Framework adequacy decision to legitimize their receipt of personal data from the EU/EEA. Compliance will be enforced by the U.S. Federal Trade Commission. A new website for the Framework launched on July 17, 2023 and includes guidance on the privacy principles and resources for organizations interested in certification.
While the Framework provides for an easier flow of personal data from the EU/EEA to the U.S., some critics argue that the essential issue of mass surveillance by the U.S. intelligence community has not been sufficiently addressed. Max Schrems, a privacy activist who filed lawsuits that led to previous iterations of an EU-U.S. data transfer agreement being struck down by the Court of Justice of the European Union, stated that he is likely to bring a new legal challenge to the Framework soon. He expects his complaint to be heard by the European Court of Justice in early 2024.
Koley Jessen will continue to monitor developments related to the Framework and advise as updates become available. If you have questions as to how your business can certify under the Framework, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.