On July 10, 2023, the European Commission adopted its final adequacy decision for the EU-US Data Privacy Framework (EU-US DPF) which introduces new binding safeguards for the protection of personal data when transferred between the EU and the US. The framework is the product of over 18 months of negotiations between the European Commission and the US Department of Commerce following the invalidation of the previous framework – the EU-US Privacy Shield – and aims to facilitate the ongoing flow of personal data between the two jurisdictions.
While the adoption of an adequacy decision restores an important mechanism for the cross-border transfer of personal data, it has not been without its critics. Notably, in May, Members of European Parliament (MEPs) adopted a resolution urging against the Commission issuing an adequacy decision before addressing additional privacy concerns including “judicial independence, transparency, access to justice, and remedies.” Additionally, moments before the adequacy decision was announced, privacy campaign group noyb released a statement claiming that there is a “CJEU challenge ready to be filed” and that they “currently expect this to be back at the Court of Justice by the beginning of next year.”
However, as it stands the European Commission’s newly adopted adequacy decision is valid and contains two central provisions that address concerns raised in the CJEU’s Schrems II decision – limiting US surveillance agencies' access to EU data beyond what is “necessary and proportionate” and an independent dispute resolution mechanism and arbitration panel. Let’s take a closer look at the EU-US DPF and these two key features of the framework in more detail.
The EU-US DPF is a framework that US-based organizations can certify against, committing to a set of privacy principles. To certify under the EU-US DPF – as well as re-certify annually – organizations must publicly declare their commitment to comply with the principles of the EU-US DPF. Furthermore, organizations must submit the following information to the Department of Commerce (DoC):
- Details of the organization
- A description of the purposes for which personal data will be processed
- The personal data collected by the organization that will be covered by the framework
- The verification method and relevant independent recourse mechanism
- The statutory body that has jurisdiction to enforce compliance with the principles of the EU-US DPF
Organizations can begin to rely on the framework to receive personal data as soon as they are placed on the Data Privacy Framework list by the DoC.
EU-US DPF privacy principles
The principles found under the EU-US DPF are intended to be upheld by certified organizations to ensure that EU personal data is treated with an ‘essentially equivalent’ level of data protection to that found under EU data protection law. Once an organization has voluntarily decided to certify under the EU-US DPF, compliance with the principles becomes compulsory and enforceable.
Certified organizations will be required to process personal data lawfully and fairly under the purpose limitation and choice principle. Personal data should also be collected for a specific purpose and only used for that purpose. Additionally, the data accuracy, minimization, and security principle requires certified organizations to ensure personal data is kept accurate and up to date. Furthermore, personal data should be adequate, relevant, and not excessive to its original purpose. Personal data should not be kept for longer than is necessary for the specified purposes.
For organizations processing sensitive data, specific safeguards should be implemented to ensure adequate protection. Sensitive data under the EU-US DPF covers any personal data that is considered special category data under the GDPR. To process this type of data, certified organizations must obtain affirmative express consent from data subjects.
Under the transparency principle, certified organizations must inform data subjects about the processing of their personal data. This can be achieved through the use of a privacy notice that contains:
- Participation in the EU-US DPF
- Types of data collected
- Purposes for processing
- Types or identities of third parties to which personal data may be disclosed
- The purposes for disclosing personal data to third parties
- Data subject rights
- Contact details of the organization
- Available methods of redress
The EU-US DPF will require certified organizations to be able to demonstrate their compliance with the framework and the principles set out within it under the accountability principle. This means organizations will be required to put in place appropriate technical and organizational measures to meet their obligations and be able to demonstrate this to the competent supervisory authority.
In addition to the above principles, the EU-US DPF carves out specific rights for data subjects in relation to how they can manage their personal data. Under the EU-US DPF, certified organizations will be required to offer data subjects the right to access their personal data, the right to object to processing, the right to correction, and the right to erasure.
The framework also places restrictions on the onward transfer of personal data. Personal data transferred from the EU to the US “must not be undermined by the further transfer of such data to a recipient in the United States or another third country.”
One of the key elements of the EU-US DPF and one that directly addresses the CJEU’s decision in the Schrems II case is the limitations placed on the access to EU personal data by US surveillance and intelligence agencies. In line with the EU-US DPF, US surveillance agencies will be limited to accessing EU personal data only to what is necessary and proportionate for maintaining national security. US agencies will also be held to stricter data minimization requirements to lessen the impact on individuals’ privacy.
These safeguards were implemented through an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, signed by President Biden on October 7, 2022. In addition, the Executive Order also provided for enhanced oversight of US intelligence service activities including having “senior-level legal, oversight, and compliance officials” in place to conduct periodic review of intelligence activities to ensure compliance with applicable US law.
Additionally, in a Q&A document, the European Commission stated: “All the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.”
The second key area of the EU-US DPF that directly addresses the CJEU’s Schrems II decision is the establishment of a dual-layered redress mechanism for individuals. The EU-US DPF redress mechanism will be used in cases where personal data collected through US signals intelligence violates applicable privacy laws.
The first layer of the redress mechanism provides the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) power to conduct investigations into complaints to determine whether non-compliance with the EU-US DPF or other US laws has occurred. The second layer empowers the Attorney General to establish a Data Protection Review Court (DPRC) which will provide an independent review of the CLPO’s decision.
Following the adoption of the adequacy decision by the European Commission organizations can begin to certify against the framework to restore EU-US data flows without the need for additional safeguards (although it is still best practice to perform a Transfer Impact Assessment (TIA) and decide whether further safeguards are appropriate.)
The EU-US DPF will now be subject to periodic review by the Commission, EU Data Protection Authorities, and authorities in the US - The first of which will take place 12 months after the framework enters into force.
The best starting place for preparing to certify with the EU-US DPF is to conduct a data mapping exercise to document all instances of personal data that your organization holds. Mapping how that data flows within your organization and to third parties, while taking particular notice over where the data is being transferred to, will help you to understand what data transfers will be covered by the framework and allow you to put the relevant protections in place, and meet your obligations against the accountability principle of the EU-US DPF.
You should also consider your privacy notice processes and ensure that your external notices contain the relevant information to meet the framework’s transparency requirements and that your privacy rights requests processes can fulfill requests made under the EU-US DPF.
Request a demo to see how the OneTrust Privacy & Data Governance Cloud can help you prepare for certification with the EU-US Data Privacy Framework.