New EU-US Data Privacy Framework – Key takeaways for transatlantic data transfers

On 10 July 2023, the European Commission (EC) published its long-awaited decision implementing the EU-US Data Privacy Framework (DPF). The DPF permits participating organisations to freely transfer personal data from the EU to the US without the need for any additional data transfer safeguard or derogation such as the use of Standard Contract Clauses issued by the EC.

Background

The EC's implementing decision is the final legislative step in a series of measures to adopt the DPF and follows its draft adequacy decision published in December 2022 (for more information on the draft adequacy decision, see our previous alert here). As with its draft decision, the EC confirms that the safeguards implemented by Executive Order 14086 (EO 14086) are sufficient to ensure that the US provides an adequate level of protection for personal data transferred from the EU to organisations participating in the DPF. Indeed, the US government confirmed the adoption of such safeguards on 3 July 2023 (for more information on EO 14086, see our previous alert here).

Comparison of the DPF to the Privacy Shield Framework 

Compared to its predecessor framework, there are several points of note, including:

• Similarities to the Privacy Shield Framework. The DPF's principles, scope of applicability and certification mechanisms generally remain the same as the Privacy Shield Framework. As the Privacy Shield Framework was published before the General Data Protection Regulation (GDPR) came into force, the DPF also includes several minor changes, such as updates to refer to the GDPR instead of the Data Protection Directive.
• Further information on new redress mechanisms and oversight of US signals intelligence activities. The DPF includes further information on the new redress mechanisms and oversight/limitations on US signals intelligence agencies, as first introduced by EO 14086 last year. Additional information on how they are intended to function in practice is also included, such as information regarding the exercise of data subject rights in accordance with the GDPR. This helps to address a key issue identified by the European Data Protection Board (EDPB) of the draft adequacy decision, whereby the EDPB called on the EC to provide additional clarity on how individuals can exercise data subject rights under the DPF, among other areas of uncertainty (for more information on the EDPB's opinion, see our previous alert here).
• Further information on the frequency of the DPF's review. The EC will review the DPF within one year after its entry into force (i.e. by 10 July 2024) to verify the effective functioning of the DPF. Further periodic reviews will also be conducted, with the frequency of such reviews depending on the outcome of: (i) the initial review; and (ii) the EC's consultation with the EU Member States and data protection authorities, such as the EDPB. In any case, such reviews will occur at least once every four years. 

Key takeaways for organisations

Certain takeaways will be of particular note to all organisations including:

• The DPF impacts organisations, regardless of whether they certify to the DPF. In its Q&A, the EC states that the measures that have been put in place by the US government in the area of national security (i.e. the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used, and that these measures also facilitate the use of other data transfer mechanisms (i.e. the Standard Contractual Clauses and Binding Corporate Rules). While the EC does not provide further information as to what this means in practice, nor does it expressly state whether supplementary measures must still be implemented for EU to US transfers. Therefore it is indicative that the DPF should at least be considered by organisations when completing EU-US transfer impact assessments, and the aforementioned measures may contribute to a finding of lower risk.
• Re-certification from Privacy Shield to DPF. Upon successful re-certification, organisations that were previously certified under the Privacy Shield Framework must update their privacy policies to refer to the DPF instead. Such references must be updated as soon as possible, and by no later than 10 October 2023.
• Restrictions on public statements. Organisations certifying to the DPF for the first time are not permitted to publicly refer to their adherence to the DPF's principles before the US Department of Commerce (DOC) has: (i) determined that the organisation has validly submitted its certification; and (ii) added the organisation to the DPF list (a publicly available list of all DPF-certified organisations). The DOC will notify the relevant organisation once its DPF certification is complete. Until this has been done, organisations must not make any transfers in reliance of the DPF, and should still use existing safeguards such as the Standard Contractual Clauses.
• Treatment of key-coded data. Key-coded data (i.e. pseudonymised data) may still constitute personal data, due to the broad definition of personal data under the GDPR. In contrast to the previous position under the Privacy Shield Framework, the EC now states that if such key-coded data can be deemed to be personal data under the GDPR, such key-coded data would remain subject to the DPF's principles.
• Treatment of HR data. The DPF specifically calls-out notice requirements relating to the transfer of HR data. This focuses on personal data which is not statistical or aggregated and highlights the challenges of using HR data for non-employment purposes such as marketing communications, as well as data being transferred onwards, for example to travel or insurance providers, as these onwards transfers will need to be considered and communicated to the employees. The DPF also highlights that the employee’s right to access personal data must comply with local laws in the country where the employee is employed regardless of where the data is processed or stored.
• Compliance monitoring/spot checks. Organisations may be subject to random spot checks in order for the DOC to monitor compliance with the DPF's principles. The DOC may also conduct targeted spot checks if potential compliance issues are identified, such as when the DOC receives a report or complaint by third parties on the relevant organisation. Such spot checks will involve an assessment as to (i) whether the points of contact for handling complaints and data subject requests are available and responsive; (ii) the availability of the organisation's privacy notice on its own website and on the DOC's website; (iii) whether the organisations privacy notice continues to comply with the certification requirements; and (iv) the availability of the organisation's dispute resolution mechanism to handle complaints. As part of its monitoring activities, the DOC may also actively monitor the news for information that provides evidence of non-compliance.

Grandfathering from the Privacy Shield 

Organisations that were Privacy Shield certified do not need to make a separate, initial self-certification submission to participate in the DPF and may begin relying immediately on the DPF to receive personal data transfers from the EEA. However, organisations will need to update privacy policies by October 10, 2023 to reflect the changes between the Privacy Shield and Data Privacy Framework. We do not expect this to be a heavy lift.  

Eligible organisations looking to transfer personal data from the UK to the US and wishing to self-certify their compliance pursuant to the UK Extension to the DPF may do so from 17 July 2023. However, they may not begin relying on the UK Extension to the DPF until the UK has approved its data bridge. This is expected later in 2023. For more information on the UK-US Data Bridge, please see our previous alert here.

The Swiss-US Data Privacy Framework (Swiss-US DPF) Principles will enter into effect on 17 July 2023. However, organisations may not begin relying on the Swiss-US DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-US DPF. This approval is expected imminently. Organisations that were certified under the Swiss-US Privacy Shield Framework Principles must comply with the Swiss-US DPF Principles, including by updating their privacy policies by October 17, 2023. 

Commentary

The DPF will no doubt by welcomed by organisations, as it facilitates EU to US data flows worth approximately $7.1 trillion in cross-border commerce. However, the durability of the DPF remains a key consideration for organisations. While the DPF addresses some of the issues identified as weaknesses during the drafting process, it remains to be seen whether its finalised form will be capable of withstanding legal challenge.

To that end, a legal challenge will be forthcoming. NOYB, a privacy non-profit founded by Max Schrems, has indicated its intention to challenge the DPF, and anticipates a final decision on "Schrems III" by the Court of Justice of the European Union (CJEU) in 2024 or 2025. This may be potentially earlier under the CJEU’s expedited procedure, if the referring EU member state national court establishes the ruling is one of “exceptional urgency”. 

In the interim period, the CJEU may also grant an injunction stopping data transfers under the DPF. However, expedited CJEU procedures and interim injunctions appear to be unlikely as neither were granted during the legal challenges of the Privacy Shield Framework and its predecessor framework (Safe Harbour). Moreover, Didier Reynders, the EU Justice Commissioner, has indicated that the redress mechanism should be tested first before subjecting the DPF to legal challenge. This indicates that "Schrems III" may depend, at least in part, on how effective the redress mechanism works in practice in the coming months or years.