Let’s Get Back Together?: What to Do About the EU-U.S. Data Privacy Framework Adequacy Decision

Earlier this month the EU Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (”DPF”), which replaces the Privacy Shield program that the Court of Justice of the European Union (“CJEU”) held invalid in its Schrems II decision. This post examines some common questions about this latest installment in the on-again, off-again EU-U.S. data transfer saga.

What does this mean for businesses?

The decision will allow U.S. companies that certify to and comply with the DPF’s requirements to transfer personal data from an EU controller to U.S. controllers or processors without having to (i) implement other transfer mechanisms like the Standard Contractual Clauses (“SCCs”) or binding corporate rules, or (ii) conduct a transfer impact assessment (“TIA”) and implement “supplementary measures” contemplated by Schrems II and the EDPB’s corresponding guidance.

How does the DPF change Privacy Shield?

The U.S. Department of Commerce’s International Trade Administration (“ITA”), which administers the DPF, confirms in FAQ responses that the DPF “does not create new substantive obligations for participating organizations with regards to protecting EU personal data” relative to Privacy Shield. The ITA further states that “[t]he privacy principles and the process to initially self-certify and annually re-certify remain substantively the same.”

If the DPF and Privacy Shield are substantively identical, how does this program resolve the government surveillance issues that caused the CJEU to strike down Privacy Shield in Schrems II?

The DPF itself does not directly address government surveillance. On October 7, 2022, however, President Biden signed an executive order intended to address the issues the CJEU raised in Schrems II.

At a high-level, the order directs U.S. intelligence agencies to apply certain safeguards to signals intelligence activities involving EU data subjects to appropriate safeguards and establishes a redress process for qualifying complaints transmitted by an appropriate public authority in qualifying European states.

My organization is certified to Privacy Shield. What do I have to do in response to the adequacy decision?

The ITA is advising that organizations that remained self-certified to Privacy Shield as of the date of the Commission’s adequacy decision and want to participate in the DPF do not have to make a separate, initial self-certification to the DPF and may begin relying immediately on the Commission’s adequacy decision to receive personal data transfers from the EU. Those organizations will also have the same recertification due date as under Privacy Shield.

The ITA is also advising, however, that Privacy Shield organizations must implement compliance with the DPF’s requirements by October 10, 2023. The key immediate action item on that front will be updating Privacy Shield privacy policy disclosures.

Fortunately, those updates should be relatively straightforward for an organization with a Privacy Shield-compliant privacy policy: references to “EU-U.S. Privacy Shield” should be replaced with references to the “EU-U.S. Data Privacy Framework” and the link to the Privacy Shield list should be updated with a link to the new DPF site. Organizations should also review their policies for other provisions discussing international transfers to assess whether those provisions appropriately reflect the DPF’s replacement of Privacy Shield and the organization’s DPF participation.

Additionally, even though the ITA confirmed that the DPF does not create new substantive obligations as compared to Privacy Shield, organizations certified to Privacy Shield should still evaluate their compliance with program principles that may have been deprioritized or set aside following Schrems II. Key considerations include:

  1. Ensuring DPF required onward transfer agreement terms are in place with recipients of onward transfers.
  2. For organizations transferring non-HR data, paying all fees and satisfying any other requirements necessary to engage an independent dispute resolution mechanism.
  3. Implementing processes to conduct an annual assessment of compliance with the DPF.

Current Privacy Shield participants should also consider whether to participate in the UK Extension to the DPF and whether to take advantage of the Swiss-US DPF once Switzerland adopts an adequacy decision for that program. The ITA advises that organizations can participate in the UK extension for no additional fee either by indicating participation as part of the annual recertification to the DPF or outside the annual recertification process by adding the UK extension within the organization’s online DPF account “no later than six months from July 17, 2023.” The ITA also advises that organizations can elect to participate in the Swiss-U.S. DPF within the organization’s online DPF account and by paying the requisite additional fee. Additional privacy policy amendments would be necessary to account for participation in the UK Extension and Swiss-U.S. DPF.

My organization is not certified to Privacy Shield and has used the SCCs with TIAs for European transfers. Should I participate in DPF?

Pending resolution of legal challenges to the DPF, most organizations will likely want to continue to use the SCCs to support EU-U.S. data transfers regardless of DPF participation. Noyb, the organization founded by Max Schrems that successfully led efforts to strike down two prior EU-U.S. data transfer frameworks, already announced it will challenge the DPF. If the challenge is successful, SCCs with “supplemental measures” under Schrems II will remain the most practical mechanism available to support EU-U.S. data transfers for most organizations. Continuing to use the SCCs will therefore avoid the need for a resource-intensive effort to implement SCCs for transfers conducted pursuant to the DPF if it is struck down.

Additionally, transfers relying on the SCCs will still benefit from the executive order requirements and redress mechanisms discussed above—even for organizations that do not participate in the DPF—as made clear in an Information Note issued by the EDPB on July 18. In that note, the EDPB emphasized that “all the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transferred to the US, regardless of the transfer tool used.” Thus, the executive order and the Commission’s adequacy decision provide additional favorable factors to incorporate into TIAs supporting SCC transfers from the EU to the U.S.

For organizations that didn’t remain (or never were) certified to Privacy Shield, there could be some benefits to participating in the DPF in addition to using the SCCs.  Those benefits could include:

  1. Addressing demands by, or providing assurances to, customers or business partners.
  2. Supporting intragroup transfers if no intragroup data transfer agreement exists.
  3. Engaging in high risk transfers for which a “belt-and-suspenders” approach may be preferable, such as transfers of highly sensitive data or that involve an importer that is historically subject to government access or requests for access.

Organizations should, however, weigh those possible benefits against the potential downsides, including assuming additional ongoing compliance and recertification obligations, the costs of DPF participation, and voluntarily subjecting organizations to additional regulatory oversight by the FTC.

* * * *

If you would like to discuss considerations around DPF participation or how to participate and comply, please reach out to any member of the Wyrick Robbins privacy team.