The European Commission adopted the adequacy decision for the EU-US Data Privacy Framework

Yesterday, on July 10^th, 2023, the European Commission adopted the adequacy decision for the EU-US Data Privacy Framework (“DPF”) which was introduced in March 2023 and detailed in our previous update. This adequacy decision concludes that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US, without the need to obtain any further authorization.

On July 3, 2023, the US Department of Commerce announced that it had fulfilled its commitments for implementing the EU-US DPF. This marked the culmination of months of significant collaboration between the US and the EU and reflected their shared commitment to facilitating data flows between their respective jurisdictions while protecting individual rights and personal data.

The adequacy decision is based on the US domestic laws and international commitments, which ensure necessary safeguards on the protection of privacy and fundamental rights and freedoms of individuals. The adequacy decision outlines that an independent “supervisory authority” with powers to monitor and enforce compliance with data protection rules should be in place, specifically, organizations must be subject to the Federal Trade Commission (“FTC”) and the Department of Trade (“DoT”), which have the necessary investigatory and enforcement powers to ensure compliance with the principles. Lately, the FTC had very interesting settlements on data protection, seems it will be continuing to enforce it. The Framework will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements.

The DPF is based on a system of certification by which US organisations commit to a set of privacy principles, the “EU-U.S. Data Privacy Framework Principles”, including the Supplemental Principles (together the “Principles”). The Principles will apply automatically on certified organizations; however, the organizations need to re-certified annually. The certification is issued by the Department of Commerce (“DoC”) and shall be enforced by the FTC and DoT as detailed above.

The DoC shall maintain will maintain and make available to the public an authoritative list of US organizations that have self-certified to the DoC and declared their commitment to adhere to the Principles (“DPF List”). Note, if a certified organization persistently failed to comply with the Principles it will be removed from the DPF List and must return or delete the personal information they received under the EU-US DPF. An organization’s removal from the DPF List means it is no longer entitled to benefit from the Commission’s adequacy decision to receive personal information from the EU.

The Principles include:

1. Comprehensive privacy policy with specific disclosures.
2. Providing choice, opt-out, in certain circumstances.
3. Limitations on transfers, adding contractual obligations in the DPA.
4. Limitation on processing.
5. Adhere security measures.
6. Limiting access to personal information.
7. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed, this shall be an independent recourse that the company chooses.
8. Subjecting the organization to the FTC and DoT.
9. Supplementary Measures (if applicable).

We will send Guidelines on the requirements and process of certifications, as we highly recommend all our clients to be listed with the Data Privacy Framework List.

In order to maintain the adequacy, the US will need to ensure:

• Limitation on intelligence activities to ensure necessary and proportional.
• The European Commission will continuously monitor the functioning of the adequacy decision, including the respect for data protection rights in the US and the redress possibilities in the US law. This ongoing oversight ensures that the decision remains relevant and effective in the face of evolving data protection challenges.
• A two-layer redress mechanism, with independent and binding authority, to handle and resolve complaints from any individual whose data has been transferred from the EEA to companies in the US about the collection and use of their data by US intelligence agencies. This mechanism includes the Civil Liberties Protection Officer of the US intelligence community and the Data Protection Review Court (“DPRC”), which has powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and can take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it can order the deletion of the data.

We do anticipate the decision will be challenged by privacy advocacy groups, potentially leading to a “Schrems III” case. In fact, only few hours of the publication of the adequacy decision, NOYB has already announced they will “give EU US data transfers third round at CJEU” We will continue to monitor these developments and provide updates as necessary.

We will keep you updated,

APM Technology and Regulations team.