European Commission Issues Adequacy Decision for EU-US Data Privacy Framework
In a much-anticipated decision, on July 10, 2023, the European Commission has determined the EU-US Data Privacy Framework (“EU-US DPF” or “Framework”) provides adequate protections to EU citizens to allow for the cross-border transfer of personal information from the European Union to the United States.1
After invalidation of its two predecessor frameworks—the US-EU Safe Harbor Framework in 2015 and the EU-US Privacy Shield Framework in 2020—the EU-US DPF2 establishes a “reliable mechanism” for the transfer of personal data outside of the EU while still providing EU citizens with the same protections afforded by the EU’s General Data Protection Regulation (GDPR). While the EU-US DPF only applies to companies operating within the U.S., it allows the U.S. to join the relatively small list of countries who have achieved an adequacy decision from the European Commission.
With the Framework in place (effective July 11, 2023), companies are given a further alternative basis (in addition to Standard Contractual Clauses, Binding Corporate Rules, and GDPR Art. 49 derogations) to legally transfer personal data from the EU to the U.S. in compliance with the GDPR.
Scope
To utilize the EU-US DPF, a company must “self-certify” its compliance with the approved governing principles of the Framework, set forth below.3 Furthermore, to qualify for the Framework, organizations must:
- Be subject to the investigatory and enforcement powers of either the U.S. Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DOT”);
- Publicly declare its commitment to “comply with the Framework’s principles”;
- Publicly disclose its privacy policy; and
- Fully implement the Framework’s principles.4
After self-certification, the U.S. Department of Commerce (“DOC”) is responsible for maintaining the “authoritative list” of certified U.S. organizations,5 as well as a listing of organizations that had previously self-certified but have since been removed from the listing (i.e., organizations that are no longer in compliance with the principles).6
Once certified, an organization’s compliance may also be enforced via the regulatory powers of the FTC under Section 5 of the FTC Act or by the DOT under 49 U.S.C. § 41712. In this way, the Framework ensures that those organizations that choose to rely on it for cross-border transfer of personal must implement the principles or face regulatory repercussions.
Principles7
The adequacy decision, which outlines the EU-US DPF, sets forth seven Principles with which organizations must comply:
- Notice8 – Organizations must inform individuals about, among other things:
- Participation and compliance with the Framework;
- The purpose of collection and use of the personal data;
- Contact information for the organization, including within the EU, if applicable;
- Identities of any third parties that have access to the personal data;
- The individuals’ rights, along with available dispute resolution mechanisms;
- The regulatory authority of the FTC or the DOT over the organization; and
- The requirement to disclose personal data in response to certain lawful requests by government authorities.
- Choice9– Organizations must allow individuals to choose whether their personal data can be disclosed to a third-party or used for a “material different” purpose than for which it was collected.
- Accountability for Onward Transfer10 – The Framework imposes additional responsibilities on organization that perform onward transfers (i.e., forwarding personal data transferred under the Framework):
- Where the third-party acts as a data controller, the organizations must enter into a contract which acknowledges limited and specific purposes for which the personal data will be used (consistent with its collection), as well as ensuring that the third-party provides the same level of protection as required by the Frameworks’ principles.
- Where the third-party acts as a data processor, the personal data must only be transferred for the limited purposes set forth at the time of collection, and the processor is required to provide the same level of protection as provided by the Framework’s principles. The processor is also under an ongoing obligation to stop and remediate unauthorized processing and provide a summary or copy of its own privacy policy to the Department of Commerce upon request.
- Security11 – Organizations must take “reasonable and appropriate” security measures to protect personal data subject to the Framework, the determination of which is based on both the risk of the data processing activities, as well as the nature of the personal data.
- Data Integrity and Purpose Limitation12 – Processing of personal data must be generally limited to the purpose for which it was collected or closely related to the purpose(s) (i.e., “compatible processing”).
- Access13 – Organizations must allow individuals access to their personal data and provide those individuals with the ability to “correct, amend, or delete that information” if it is mistaken or otherwise conflicts with the Framework’s principles.
- Recourse, Enforcement and Liability14 – Finally, the Framework sets forth a baseline standard for potential recourse. First, there must be a “readily available independent recourse mechanism”, which allows for the investigation of complaints at no cost to the individual and the award of damages in the event of a violation. Second, there must be “follow-up procedures” to verify whether an organization complies with the Framework’s principles. Third, organizations must be obligated to remedy any violation of the principles.
Though provided at a high level, each of these principles largely mirror the overarching principles that underpin the GDPR and the EU’s Standard Contractual Clauses, which seek to provide EU citizens with the same level of protection for personal data processed (and stored) in the U.S.
Enforcement and Remediation
To qualify for the EU-US DPF, organizations must be subject to the authority of either the FTC or the DOT however, these are not the only agencies with regulatory oversight and enforcement authority. As a part of EU-US DPF self-certification process, organizations must commit to cooperate with European Data Protection Authorities (“DPAs”).15 Under the Framework, DPAs provide guidance through an “informal panel” of DPAs, which provide advice to U.S. organizations16 regarding pending complaints and proposed solutions. The panel will be funded through an annual fee paid by those organizations who wish to participate in the panel.
In addition to the (informal) advice of the above DPA panel, the principles also “encourage” individuals to raise complaints directly with the organization. Upon receipt of such a complaint, the organizations must respond within 45 days, after which the complaint may be raised with the required independent recourse mechanisms, which should be readily available to individuals (free of charge) and provide information about the dispute resolution process.
Finally, the Framework includes a process for individuals to invoke binding arbitration.17 This arbitration can only be invoked where: 1) the claimed violation was already raised with the organization directly; 2) the individual made use of the independent recourse mechanism; and 3) the individual has raised the issue directly to the Department of Commerce (through the relevant DPA).18 If these criteria are met, the parties to the arbitration, that is the individual making the complaint and the organization, must choose three arbitrators selected from a list prepared by the Department of Commerce and the European Commission. Once the arbitration panel is selected, the arbitration should be completed within 90 days of receipt of the complaint.
Conclusion
Ultimately, the Decision puts into place a further alternative method of transferring data between the U.S. and the EU. While it is likely to face challenges in the coming months, the EU-US DPF appears to at least have addressed some of the concerns that ultimately led to the invalidation of the predecessor frameworks. President Biden’s Executive Order 14086 addresses the issue of law enforcement overreach by setting forth the need for legitimate objectives (as well as prohibited objectives) to justify the collection of personal data. In addition, the Order also provides for an independent Civil Liberties Protection Officer as well as a Data Protection Review Court to ensure that law enforcement complies with their data handling and processing obligations.
As organizations consider their privacy obligations, our team stands ready to assist in balancing the different obligations and procedures the Framework may require, including whether self-certification is the right step to take. We will also be keeping a careful eye on challenges to the Framework likely to come.
1Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (hereinafter “Adequacy Decision” or “Decision”), available at https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework.pdf.
2We wrote previously about President Biden’s Executive Order 14086, available here, which implemented several key safeguards within the U.S. Intelligence Community necessary for the present adequacy decision.
3Annex I, EU-US DPF § I(2).
4 Id.
5Id. § I(3).
6Id. § I(4).
7In addition to these seven “primary” principles, the decision also outlines 16 “secondary principles” which provide further specific requirements and address certain very narrow situations related to the processing of personal data, such as special categories of personal data. See id. § III.
8Notice must be given in “clear and conspicuous language” when individuals are “first asked to provide personal information” or shortly thereafter. No matter what, though, the notice must be given before the provided personal data is used. Id. § II(1)(b).
9Id. § II(2).
10Id. § II(3).
11Id. § II(4).
12Id. § II(5).
13Id. § II(6).
14Id. § II(7).
15Id. § III(5).
16This “harmonized” approach to data protection is consistent with a larger EU-wide approach to GDPR enforcement, which we have previously noted.
17EU-US DPF, Annex I: Arbitral Model.
18FTC action is not required, and in fact, the arbitration can occur “in parallel” with FTC action. Id. § (g).
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.