EU Finally Approves EU-U.S. Data Privacy FrameworkPDF
On July 10, the European Union Commission gave its final approval — an “adequacy decision” — to the long-pending EU-U.S. Data Privacy Framework governing data transfers from EU countries (plus Iceland, Liechtenstein and Norway) to the United States. The decision took effect immediately. The DPF provides a relatively simple means to receive and process personal data of people in the EU. As recently as July 9, the only way to make such transfers legally was through EU-approved standard contractual clauses, entered into by a data exporter from the EU and a U.S.-based importer. The SCCs remain in effect and will continue to be widely used. The DPF provides a second transfer mechanism that most, if not all, companies should promptly take advantage of, for both legal and practical reasons. This article will provide some additional background on the DPF and then review the steps necessary to join.
Why the DPF Was Needed
The transfer problem is rooted in the General Data Protection Regulation, the EU’s comprehensive data privacy law that took effect in 2018. The GDPR has quickly become the model for privacy laws around the world, including a growing list of U.S. states. The GDPR provides detailed rules for the “processing” (a broad category that includes collecting and just about any use) of “personal data” (another broad category) relating to EU data subjects. The GDPR places particularly onerous restrictions on data transfers to countries — including the United States — that the EU deems to have inadequate national privacy laws. Other than the DPF, the GDPR’s principal lawful transfer mechanisms are explicit consent from every affected data subject (a standard that is very difficult to meet) and the SCCs.
Recognizing the impact on transatlantic business, in July 2016 the EU and United States agreed on the Privacy Shield program, managed by the U.S. Department of Commerce. It allowed individual U.S. companies to become lawful recipients of EU data transfers if they annually self-certified that they were providing EU levels of privacy protection. Then, in July 2020, the Court of Justice for the European Union (the EU’s Supreme Court), in a case called Schrems II, struck down the Privacy Shield as violating the EU Charter of Fundamental Rights. The CJEU’s concerns had nothing to do with ordinary business transactions, but rather with the possibility of U.S. intelligence snooping under the Foreign Intelligence Surveillance Act, which gives the government very broad power to collect data on “non-U.S. persons,” without notice and, prior to certain recent changes to FISA, no meaningful right of court review.
After the demise of the Privacy Shield, businesses looking for a lawful transfer mechanism were left with only explicit consent (which, as mentioned, is impractical in many situations) and the SCCs, under which the exporter and importer agree by contract to EU-level privacy protections. Large data businesses increasingly insisted that their smaller partners sign the SCCs. The basic commitments are not difficult for diligent businesses that follow industry best practices. The problem was that the EU data authorities, following through on the details of the Schrems II decision, demanded that SCC parties take “supplementary measures” to avoid potential government snooping. The parties were required to assess whether there was a government threat to privacy — in the United States, there always was — and, if so, to take all-but-impossible technical measures to mitigate that threat. As a practical matter, these standards could not be met. As a consequence, the parties were legally required to “avoid, suspend or terminate the transfer.” In the real world, most businesses forged ahead and signed the SCCs without knowing for sure that they could comply in full, and hoped they would never be challenged, either by their counterparty to the contract or EU data authorities. This was a reasonable approach, since the vast majority of EU enforcement actions have been against Big Data companies and a few smaller entities that have been subject to significant data security breaches after intentional indifference to GDPR rules.
Now, here in 2023, the DPF has essentially resurrected the Privacy Shield. The United States has taken several steps to limit FISA access to personal data, including the establishment of a new review court. In its July 10 adequacy decision, the EU deemed these steps sufficient.
The DPF does not change the substantive requirements of the Privacy Shield. In fact, the Commerce Department kept the Privacy Shield alive, even though it no longer met EU standards. Many American companies maintained their self-certification, both for public relations purposes and because it kept them on track to meet developing U.S. and global legal standards. Those companies can meet DPF standards with few (if any) changes in their practices and policies.
Most every company should self-certify for the DPF, whether or not it is currently in the Privacy Shield. As we explain below, it is a straightforward and relatively inexpensive process. Legally, the DPF provides a secure safe harbor for transatlantic data transfers. On a practical level, smaller companies should expect their larger partners to insist on it in order to protect themselves.
The only argument against joining the DPF is that it may not survive. A charitable foundation started by the Schrems II plaintiff, Max Schrems, has already threatened to bring a new lawsuit seeking to strike down the DPF. It is possible that such a legal challenge will succeed again in the CJEU. If that happened, we would be back to where we were on July 9, pre-DPF. But that outcome is only a speculative possibility, and is not a justification for putting off doing something with clear benefits in the here and now. If the DPF were struck down, a self-certified company would have spent a few hundred dollars (for a small company) to a couple of thousand dollars (for a large company) and would be committed to policies it should be adopting anyway under current industry best practices. So businesses should self-certify, and the sooner the better.
The DPF Self-Certification Process
Companies that were participating in the Privacy Shield at the time the DPF took effect needed only to update their privacy policies before Oct. 10 to reflect that they were now participating in the DPF. Companies that did this must recertify before their current Privacy Shield deadline. They can check their recertification deadline here.
For companies that do not currently participate in the Privacy Shield, the Department of Commerce has provided helpful, step-by-step instructions for the DPF self-certification process here.
The required steps include:
- Providing company and contact information, including naming a responsible corporate officer;
- Describing the company’s activities with regard to EU personal data;
- Designating an “independent recourse mechanism” (the Better Business Bureau, for example) to investigate unresolved complaints;
- Choosing the U.S. Federal Trade Commission (in almost all cases) or Department of Transportation as the enforcement agency;
- Stating whether the company uses self-assessment or outside review to verify its compliance; and
- Providing very general information about the company’s size and revenue levels.
Companies will, of course, need to carefully review (and confirm they comply in full with) all of the DPF Principles, which consist of seven core principles and 16 supplemental principles that apply to certain businesses or in certain industries. The DPF Principles are laid out here.
DPF participation takes effect upon approval by the Department of Commerce, and annual re-certification will be due 12 months later. Annual fees range from $250 to $3,250, depending on the company’s annual revenue.
The U.S.-U.K. Data Bridge
The Data Bridge (formally known as the U.K. Extension to the EU-U.S. DPF) took effect on Oct. 12. This program allows companies to piggyback on their DPF certification to lawfully transfer data from the United Kingdom to the United States. Companies that currently participate in the DPF can simply log in to their DPF accounts, click on “Self-Certify” and accept the option of self-certifying to the U.K. Extension. Companies can do this at the time of their annual recertification or outside of recertification, as long as they do it before Jan. 17, 2024. Companies that don’t currently participate in the DPF can add the U.K. Extension when they join the DPF. In either case, the annual recertification date for the U.K. Extension will be the same as that for the DPF. The U.S. government’s DPF website has helpful guidance here.
What About Switzerland?
A parallel agreement with Switzerland, the Swiss-U.S. DPF, took effect on July 17. The principles and process for joining are essentially the same as for the U.K. Extension. The U.S. DPF provides guidance at the same website.
Attorneys in Robinson Bradshaw’s Cybersecurity & Privacy Practice Group are primed to assist clients in the process of DPF self-certification, as well as to assist with privacy compliance matters generally.