July 11, 2023
Yesterday, on July 10th, 2023, the European Commission adopted the adequacy decision for the EU-US Data Privacy Framework (“DPF”) which was introduced in March 2023 and detailed in our previous update. This adequacy decision concludes that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US, without the need to obtain any further authorization.
On July 3, 2023, the US Department of Commerce announced that it had fulfilled its commitments for implementing the EU-US DPF. This marked the culmination of months of significant collaboration between the US and the EU and reflected their shared commitment to facilitating data flows between their respective jurisdictions while protecting individual rights and personal data.
The adequacy decision is based on the US domestic laws and international commitments, which ensure necessary safeguards on the protection of privacy and fundamental rights and freedoms of individuals. The adequacy decision outlines that an independent “supervisory authority” with powers to monitor and enforce compliance with data protection rules should be in place, specifically, organizations must be subject to the Federal Trade Commission (“FTC”) and the Department of Trade (“DoT”), which have the necessary investigatory and enforcement powers to ensure compliance with the principles. Lately, the FTC had very interesting settlements on data protection, seems it will be continuing to enforce it. The Framework will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements.
The DPF is based on a system of certification by which US organisations commit to a set of privacy principles, the “EU-U.S. Data Privacy Framework Principles”, including the Supplemental Principles (together the “Principles”). The Principles will apply automatically on certified organizations; however, the organizations need to re-certified annually. The certification is issued by the Department of Commerce (“DoC”) and shall be enforced by the FTC and DoT as detailed above.
The DoC shall maintain will maintain and make available to the public an authoritative list of US organizations that have self-certified to the DoC and declared their commitment to adhere to the Principles (“DPF List”). Note, if a certified organization persistently failed to comply with the Principles it will be removed from the DPF List and must return or delete the personal information they received under the EU-US DPF. An organization’s removal from the DPF List means it is no longer entitled to benefit from the Commission’s adequacy decision to receive personal information from the EU.
The Principles include:
We will send Guidelines on the requirements and process of certifications, as we highly recommend all our clients to be listed with the Data Privacy Framework List.
In order to maintain the adequacy, the US will need to ensure:
We do anticipate the decision will be challenged by privacy advocacy groups, potentially leading to a “Schrems III” case. In fact, only few hours of the publication of the adequacy decision, NOYB has already announced they will “give EU US data transfers third round at CJEU” We will continue to monitor these developments and provide updates as necessary.
We will keep you updated,
APM Technology and Regulations team.