The EU–U.S. adequacy decision: What does it mean and how can your organisation rely on it?
The EU–U.S. adequacy decision: What does it mean and how can your organisation rely on it?
On 10 July 2023, the European Commission adopted its adequacy decision with the United States, establishing the EU-U.S. Data Privacy Framework (DPF). The DPF now paves the way for free flows of personal data with U.S. organisations, removing any need to put in place appropriate transfer mechanisms to safeguard against data transfer or indeed to carry out a transfer impact assessment. Both requirements can be a costly exercise, especially where multiple transfer arrangements are involved, and the recent announcement will come as a welcome relief to a number of organisations who are exposed to such data transfer to the U.S. The DPF is enabled by the US President’s Executive Order 14086, which seeks to remedy the shortcomings of the Privacy Shield, the previous framework that was invalidated by the Court of Justice of European Union (CJEU) in 2020. (For more information, see this article).
Unlike other adequacy decisions, EU organisations cannot simply transfer personal data to any data importer/recipient in the U.S. — for the data to flow freely, the relevant recipient must be self-certified with the DPF (more on this below). This means that, as part of their accountability obligations, EU organisations must obtain evidence of self-certification before they transfer personal data to the U.S.
How can your organisation rely on the DPF?
On 17 July 2023, the U.S. government launched the DPF website where organisations are now able to self-certify to the DPF. It is worth noting that the Swiss-U.S. DPF has also recently come into force, giving a green light to personal data transfers between Switzerland and the U.S. — the same considerations would therefore apply to Swiss-U.S. transfers as outlined below.
For EU-based organisations: how can you check self-certification?
Before sending personal data to the United States, you must confirm that the recipient is a DPF participant for the type of information you are transferring. More precisely, you must:
- Confirm that the organisation has an active status on the Data Privacy Framework List (DPF List).
- Confirm that the types of personal data are covered by the recipient organisation’s DPF commitments. This information is available on the organisation’s DPF program record in the DPF List. Make sure to check ‘Other Covered US Entities and U.S. Subsidiaries’ section as well as the ‘Participation’ section of the record.
- Review the privacy policy statement that applies to the covered personal data, which can also be found in the organisation’s DPF program record (‘Privacy Policy’ section).
If you have any questions as you are walking through the above steps and would like to contact the participating organisation, you can go to the ‘Dispute Resolution’ section of the DPF program record, where you can access the organisation’s contact information. If you have additional questions, you can also contact the DPF team here.
For U.S.-based organisations: how can you self-certify?
U.S. organisations can now self-certify to participate in the DPF, enabling them to receive personal data from the EU. According to the DPF Program website, there are a number of steps that a U.S.-based recipient needs to take:
- Confirm the organisation's eligibility to participate in the DPF Program: Only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT) are currently eligible to participate in the DPF program.
- Develop a DPF-compliant privacy policy statement (See Privacy Policy FAQs for additional information). A U.S.-based organisation wanting to receive personal data from the EU must develop a DPF-compliant privacy policy before submitting its initial self-certification to the U.S. Department of Commerce’s International Trade Administration (ITA).
- Ensure that the organisation has in place an appropriate independent recourse mechanism for each type of personal data covered by its self-certification.
- Make the required contribution for the Annexe I binding arbitration mechanism.
- Ensure that the organisation's verification mechanism is in place. The organisation must have procedures in place for verifying that the attestations and assertions that it makes about its DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the DPF Principles.
- Designate a contact within the organisation regarding DPF compliance. The organisation is required to provide a contact for the handling of complaints, access requests, and any other issues concerning the organisation’s compliance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF.
- Review the information required to self-certify. Prior to submitting a self-certification via the DPF program website, the organisation should review and compile the information required as part of the ITA's online self-certification process (See required self-certification information).
- Submit your organisation's self-certification to the ITA.
UK-U.S. Data Bridge
The EU–U.S. adequacy decision has no direct effect on personal data transfers between the United Kingdom and the United States. In other words, at the moment UK organisations are unable to rely on the EU–U.S. adequacy decision in order to transfer personal data to US-based recipients.
In a previous article we noted that in June 2023, the UK and the U.S. issued a joint statement on the establishment of a UK–U.S. data bridge. This is ultimately the UK’s take on their own data protection framework enabling free flows of personal data between the UK and the U.S. If adopted, it will be an extension to the DPF, which means that UK organisations will be able to transfer personal data to those recipients in the US which have self-certified with the DPF. ‘A UK-US data bridge would uphold the rights of data subjects […] whilst reducing the burdens on businesses and delivering better outcomes for people,’ the joint statement reads.
In light of the recent EU–U.S. adequacy decision, it is likely that the UK-U.S. data bridge will follow soon. For it to materialise, however, two things need to happen:
- The U.S. must first designate the UK as a ‘qualifying state’ for the purposes of the Executive Order 14086; and
- The UK must adopt its adequacy regulations subject to the assessment of U.S. data protection laws and practices.
At the time of writing, neither of those steps has taken place. That said, U.S.-based organisations can already self-certify to the UK’s extension to DPF. However, until the UK–U.S. data bridge is put into place through the UK’s adequacy regulations, U.S.-based organisations cannot rely on it to receive personal data from the UK. Instead, such UK-U.S. data transfers will continue to require appropriate safeguards or derogations to be put in place, together with a transfer risk assessment.
Schrems III?
On the same day as the European Commission announced the EU–U.S. adequacy decision, a noyb published article noted that a ‘CJEU challenge was ready to be filed’. It seems that noyb’s main concerns continue to be the same as those already addressed by the CJEU in the previous Schrems II judgment:
- Bulk surveillance. While the new Executive Order 14086 introduces the term ‘proportionate’ to limit U.S. intelligence programs, noyb is concerned that ‘the US will attribute another meaning to the word "proportionate" than the CJEU.’
- Redress mechanisms. The order introduces a two-tier redress mechanism by establishing a Civil Liberties Protection Officer and a Data Protection Review Court (DPRC). However, noyb is not convinced that these mechanisms are sufficient to qualify as ‘judicial redress’ for the purposes of Article 47 of the Charter of Fundamental Rights, including because the DPRC ‘is not a court, but a partly independent executive body’ and the individual ‘will not have any direct interaction with the new bodies.’
Overall, noyb casts doubts on the effectiveness of the DPF and calls it a ‘copy’ of the previous framework, while preparing for a CJEU challenge. ‘A final decision by the CJEU would be likely by 2024 or 2025. No matter if such a challenge will be successful, this will bring clarity to the "Trans-Atlantic Data Privacy Framework" within about two years.’
Until the CJEU makes a final determination on whether the DPF provides essentially equivalent safeguards as those required by EU law, EU and U.S. organisations will be able to rely on the free flow of data offered by the DPF.
What’s the EU – U.S. DPF’s impact on your organisation?
If your organisation is based in the EU, moving forward you will have to check and confirm that a U.S. data importer/recipient is self-certified under the DPF before a transfer takes place. Use the recipient’s name to search against the DPF List. If the U.S. recipient is not participating in the DPF, and wishes to participate, they will have to self-certify to the DPF before any personal information is shared. If no reliance can be placed, your organisation will have to revert to one of the pre-existing appropriate safeguards (e.g., Standard Contractual Clauses, Binding Corporate Rules) or, where applicable, a derogation available under Article 49 of GDPR. You will also have to carry out a transfer impact assessment to support your transfers.
If your organisation is based in the UK, you cannot currently rely on the EU-U.S. DPF to transfer personal data to the U.S. as the UK is no longer part of the EU and the European Commission’s adequacy decision has no direct impact on the UK at this moment in time. This means that, presently, you must continue to use the appropriate safeguards (e.g., the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) or rely on one of the available derogations under Article 49 of the UK GDPR for international data transfers. You must also carry out a transfer risk assessment, which is a mandatory requirement to validate your transfers.
Despite this, and in expectation of the UK-U.S. data bridge being finalised in the near future, U.S.-based organisations can self-certify in advance under the UK’s extension to the DPF. Once the UK-U.S. data bridge is in place, UK-based organisations will be able to transfer personal data freely to U.S. recipients that have self-certified. However, as mentioned above, the UK-U.S. data bridge is yet to materialise, and it depends on the UK’s designation of the U.S. as an adequate jurisdiction. Our recommendation at the time of writing is to keep an eye out for specific developments in this area in the coming week and/or months.
DPF Challenges: What does the future hold?
MP Philippe Latombe has recently announced that he will be challenging the EU DPF before the Court of Justice of the European Union (CJEU). This announcement came less than two months after the EU-US DPF framework came into effect, seeking to address uncertainties surrounding transfers of data between the two jurisdictions.There are doubts, however, whether this challenge will succeed. This is largely because of potential procedural hurdles that the case has to go through one of which concerns the fact that the challenge was raised as a ‘direct action’—i.e., Mr Latombe went straight to the CJEU, asking for the invalidation of the DPF. While this strategy bypasses domestic courts, Mr Latombe will have to demonstrate that the DPF concerns him directly and individually, and that he has suffered ‘serious and irreparable harm’. Therefore, the application may be dismissed without the court engaging in the discussion of the merits of the case. Interestingly, on 12 October 2023, the CJEU issued a ruling where it rejected the French MP Latombe's application to suspend the recently established EU-US Data Privacy Framework (DPF). The ruling (which is in French) appears to hinge on the fact that the applicant failed to demonstrate that he suffered 'serious and irreparable harm', which would justify an urgent suspension. However, it is to be noted that this is only an interim ruling - i.e., it doesn't mean a full failure of the application just yet. The full hearing and final decision are still underway. That said, the CJEU’s ruling will likely cast further doubts on the case that some have already considered to be tenuous.
Regardless of whether Mr Latombe’s challenge will succeed, there is, of course, an expectation that the new framework will receive CJEU’s scrutiny—as did its predecessors, the Privacy Shield, and the Safe Harbor. ‘CJEU challenge ready to be filed,’ noyb wrote in an article published on the same day as the European Commission’s adequacy decision - their main concerns continue to be the same as those already addressed by the CJEU in the Schrems II judgment.
The UK-US Data Bridge – October 2023 update
The UK-US Data Bridge, effective as of 12 October 2023, introduces a more straightforward and efficient process for transferring personal data between the UK and certified US organisations. This framework is an extension to the EU-US DPF and alleviates the requirement for additional safeguards mandated under the UK GDPR. The steps required to participate in the UK-US Data Bridge are similar to the ones discussed above for the EU-US DPF. The UK Government has published a factsheet on this matter. However, we’d like to highlight a few considerations we think might be noteworthy:- First and foremost, UK organisations cannot rely on the UK-US Data Bridge unless the data importer/recipient in the US:
- Has self-certified to the UK-Extension; and
- Appears on the DPF list.
- US organisations that are not subject to the jurisdiction of the Federal Trade Commission (FTC) or Department of Transportation (DoT) – for example, banking, insurance, and telecommunications companies – are currently unable to participate in this framework.
- Some categories of data are excluded from the DPF – namely, journalistic data. For more information, please refer to Supplemental Principle 2(b) of the EU-US Data Privacy Framework.
- The DPF does not mirror UK GDPR’s definition of special category data. More precisely, it does not include:
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person; or
- data concerning sexual orientation.
- When transferring criminal records under the UK-US Data Bridge, the UK exporter must specify that this is sensitive data requiring additional protections. Importantly, if criminal records are shared in the context of HR data relationship, US importers/recipients are required to indicate that they are seeking to receive such data.
If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.