Data protection: Adequacy decision for transfers of personal data from the EU to the USA

Anyone who is engaged in the world of data privacy has become used to new important decisions and judgments in the middle of the summer. This year, we first learned from the Swedish supervisory authority IMY that the use of Google Analytics was banned for four Swedish companies and only a week later, on the 10th of July, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF) for transfers of personal data to the US.

What has the situation been like for EU-US transfers?

To recap in brief, transfers of personal data from the EU to the US have been very problematic to pursue since the Schrems II decision in July 2020 invalidated the Privacy Shield as a Chapter V GDPR transfer mechanism. One issue from a European perspective is that US authorities are able access transferred personal data. Since then, transfers of personal data from the EU to the US have in most cases relied on Standard Contractual Clauses accompanied by supplementary measures. However, it has become obvious that substantial supplementary measures are required to perform such transfers to be compliant. European supervisory authorities have in several cases declared such transfers to be illegal due to insufficient or ineffective supplementary measures and data controllers have thus failed to ensure a sufficient level of protection for the personal data transferred to the US. Such decisions have led to several sanction fees and bans of the third country transfers (many with Google Inc. as data importer) for European organisations.

In October 2022, the US implemented a Presidential Executive Order which introduced new binding safeguards giving Europeans further rights than before, e.g. right to obtain access and a new independent and impartial redress mechanism (read more here).

What’s new?

The European Commission has now found these changes in US legislation to be sufficient and has adopted its adequacy decision. From July 10th 2023, the US has been added to the European Commission’s list of countries having an adequate level of data protection, however with a specific requirement:  the receiving US company and data importer must participate in the DPF (Data Privacy Framework) program. For transfers that can rely on the DPF, no transfer mechanism in Art. 46 GDPR (e.g. Standard Contractual Clauses) nor supplementary measures are needed.

Participation in the DPF

A US company wanting to participate in the DPR is required to self-certify to the International Trade Administration (ITA) within the U.S. Department of Commerce via the Department’s DPF program website. The US company will publicly commit to comply with the DPF Principles and the commitment to adhere to the DPF Principles is enforceable under U.S law (by the US Federal Trade Commission). Self-certified companies will be included in the DPF List and to stay on the list, annual re-certification submissions must be made. There will also be a public list of companies that have been removed from the list and the reason for the removal (e.g. voluntary withdrawal, failure to complete the annual re-certification or found to persistently fail to comply).

The DPF Principles

The DPF principles that must be complied with are familiar with those in the GDPR, such as principles of purpose limitation, data minimisation, data retention and obligations concerning data security and sharing of data with third parties including public authorities. The seven DPF principles are accompanied by sixteen equally binding supplemental principles. Also, the company’s privacy policy must be updated to refer to and declare its commitment to comply with the “EU-U.S. Data Privacy Framework Principles”.

What to think about?

A European organisation on its way to transfer personal data to a US organisation (also within the same group of companies) shall check whether the US organisation is participating in the DPF – check the list. If the answer is yes, the transfer is good to go. If the answer is no, a transfer mechanism in Article 46 GDPR must be applied. If the chosen transfer mechanism is the Standard Contractual Clauses, the US legislation must be assessed in a Transfer Impact Assessment (do not forget the safeguards in the Executive Order). Eventual supplementary measures must be applied.

Remember that for all processing of personal data, a general risk assessment must be performed, sometimes in the form of a Data Privacy Impact Assessment (Article 35 GDPR), regardless of whether the transfer is subject to an adequacy decision or not.

A US organisation looking forward to receiving EU data would preferably consider participating in the DPF. The self-certification process will require some work (e.g. reviewing and compiling of information and implementing routines) to make sure that the DPF Principles are complied with.

Backup plan

The EU and the US have tried establishing structures for transfers of personal data for a long time. Twice already, such initiatives have been invalidated by the European Court of Justice (Safe Harbor 2015 and Privacy Shield 2020). It is by no means certain that the DPF will be around for long. The EU Civil Liberties Committee argued in its resolution published on the 14th of February 2023 that the Commission should not grant the US an adequacy decision and highlighted the fact that many of the old issues related to US transfers are still present. Privacy organisation NOYB (None of Your Business) has expressed similar criticism, albeit with greater emphasis, and has declared its intent to assist in bringing the issue before the European Court of Justice. Their prediction is that a challenge of the DPF would likely reach the Court of Justice already by the end of 2023 or the beginning of 2024. With the legal uncertainty of the DPF in mind, we advise caution and urge actors engaging in EU-US transfers to prepare a backup plan in case the DPF is in fact invalidated.