The Legal Foundation of the EU-U.S. Data Privacy Framework

The EU-U.S. Data Privacy Framework (DPF), adopted by the European Commission on July 10, 2023, is an adequacy decision under Article 45 of the General Data Protection Regulation (GDPR), EU 2016/679. An adequacy decision is the EU’s formal finding that a non-EU country provides a level of data protection ‘essentially equivalent’ to that guaranteed in the European Union. Once adopted, it allows the free flow of personal data from EU member states to U.S. entities that have self-certified under the DPF, without requiring additional safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

The DPF replaced the Privacy Shield framework, which was invalidated by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems (Schrems II), Case C-311/18 (CJEU 2020). In Schrems II, the CJEU found that U.S. national security surveillance laws — particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA) — did not provide sufficient limitations or judicial redress mechanisms for EU citizens.

What Changed: The Executive Order and the Data Protection Review Court

The DPF is built on two foundations: (1) self-certification by U.S. businesses with the Department of Commerce, and (2) Executive Order 14086, signed by President Biden on October 7, 2022. The Executive Order requires U.S. intelligence agencies to conduct surveillance of non-U.S. persons only when ‘necessary’ and ‘proportionate’ to defined national security objectives — importing a proportionality standard derived from EU law. It also created the Data Protection Review Court (DPRC), a new body empowered to hear complaints from EU residents about U.S. intelligence agencies’ access to their personal data.

DPF Self-Certification: Requirements and Process

To self-certify under the DPF, a U.S. organization must:

• Be subject to the jurisdiction of the Federal Trade Commission or the U.S. Department of Transportation
• Publicly commit to compliance with the DPF Principles by publishing a compliant privacy policy
• Submit a self-certification to the International Trade Administration (ITA) through the DPF website (www.dataprivacyframework.gov)
• Pay the applicable annual filing fee (currently $250–$3,250 depending on annual revenue)
• Designate an independent recourse mechanism (IRM) to handle EU individual complaints
• Renew certification annually

Key substantive requirements for DPF-certified organizations include: providing notice of data collection and processing purposes, offering opt-out rights for secondary uses and disclosures to third parties, maintaining data security appropriate to the risk, ensuring onward transfers to third parties comply with DPF standards, and cooperating with the Department of Commerce in investigations.

The Risk of DPF Invalidation: Schrems III

Max Schrems and noyb (None of Your Business) have already announced their intention to challenge the DPF in the CJEU — a challenge commonly referred to as ‘Schrems III.’ The legal argument is that Executive Order 14086 and the DPRC do not provide a sufficiently independent or effective redress mechanism because the DPRC is an executive-branch body, not an Article III court. Legal commentators widely expect a CJEU ruling on the DPF within three to five years of its adoption.

U.S. businesses that transfer EU personal data should not rely exclusively on DPF certification. Prudent compliance practice requires maintaining alternative transfer mechanisms as a backstop — particularly updated Standard Contractual Clauses — so that data transfers can continue if the DPF is struck down.

Standard Contractual Clauses: The Alternative Framework

The European Commission adopted new Standard Contractual Clauses (SCCs) in June 2021, replacing the older 2010 SCCs. The new SCCs are modular, covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. All transfers under SCCs now require a Transfer Impact Assessment (TIA) — a documented analysis of the laws of the destination country and whether they undermine the protections afforded by the SCCs.

Revision Legal helps U.S. businesses navigate EU-U.S. data transfer compliance, including DPF self-certification, SCC implementation, and Transfer Impact Assessments. Contact us at revisionlegal.com/contact or visit our Privacy Law practice page.

On 10 July 2023, the Commission of the European Union (“EU”) approved a new EU-US data privacy adequacy decision, officially launching what will now be called the “EU-US Data Privacy Framework” (“DPF”).

For background, the EU created the world’s first personal data privacy regime in 2016 — which became effective in 2018 — called the General Data Protection Regulation (“GDPR”). Among other regulations, the GDPR prohibits the transfer of European personal data to third countries (like the U.S.) unless the data-receiving business has been certified as having a GDPR-compliant level of data protection. The new DPF creates the procedures and standards for U.S. companies to become certified, which will allow them to receive data transfers from EU business entities and EU locations.

Preventing the interruption of these data transfers is enormously important for both U.S. and EU businesses, particularly given the size of the Internet marketplace. For example, if a European consumer purchases a product online from a U.S.-based company or sales platform, there is a transfer of that consumer’s personal data from the EU to the U.S. This is because “personal data” includes such things as names, financial payment information, addresses, etc. If a U.S. customer buys a European product online, the same is true in the opposite direction. Just as importantly, U.S. and European companies process and store consumers’ personal data in many locations around the world. So, for example, a data processing center in Ireland operated by a U.S. business will be constantly transferring data into and out of the EU.

The new DPF replaces its predecessor framework called the Privacy Shield. For various technical and legal reasons, the Privacy Shield was deemed unlawful by the EU’s high court in 2020. The new PDF is intended to resolve those technical and legal issues. That being said, the new DPF is very similar to the Privacy Shield framework. The additions to the new DPF generally involve requirements that U.S. entities have some compliant dispute resolution mechanism for EU consumers who have data-related complaints.

To be certified, a U.S. company must implement data collection/processing policies and procedures that are compliant with GDPR regulations. The new DPF identifies the basic level of compliance that is required. As a few examples, a U.S. entity must disclose what data is collected and processed, the business purpose of data collection/processing, reasons for transferring data to third parties, provide “opt-out” mechanisms, etc. And, as just noted, there must be some method for EU consumers to register data-related complaints, and there must be a dispute resolution mechanism.

The list of certified U.S. companies is maintained by the US Department of Commerce, and certification must be renewed annually. If a U.S. entity is certified, then an EU-based data exporter can transfer personal data to said company and, presumptively, be in compliance with the GDPR. Otherwise, a number of other steps and safeguards are required by the GDPR. These include such things as the preparation of a data transfer impact assessment, the requirement of the inclusion of certain contractual clauses in agreements with the data-receiving entity, the implementation of binding corporate rules by the data-receiving entity, etc.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.