On July 17, 2023, the U.S. Department of Commerce (DOC) launched the new EU-U.S. Data Privacy Framework (EU-U.S. DPF) program website. This website, and the associated self-certification process, enables eligible companies to once again facilitate the cross-border transfer of personal data through participation in the EU-U.S. DPF, among other transfer mechanisms.
Generally, under the General Data Protection Regulation (GDPR), the cross-border transfer of personal data is prohibited absent an adequate level of data protection in the receiving country as determined by the European Commission, unless a permitted transfer mechanism is used. Many companies previously relied on the EU-U.S. Privacy Shield Framework (“Privacy Shield”) to facilitate data transfers between the European Economic Area, United Kingdom, Switzerland (together, “Europe”) and the U.S. in the absence of an adequate protection finding for the U.S. In 2020, however, the Court of Justice of the European Union (CJEU or “Court”) invalidated the Privacy Shield in a case commonly referred to as Schrems II, as we noted in a previous client alert.1 The CJEU explained that the Privacy Shield permitted government access to personal data subject to the GDPR based on national security concerns, public interest and domestic laws. Specifically, the Court was concerned about U.S. government surveillance programs and the lack of means by which data subjects could enforce their privacy rights.
In 2023, the EU-U.S. DPF was adopted to replace the Privacy Shield. This program was designed to address the concerns raised in Schrems II. In October 2022, President Biden signed Executive Order (EO) 14086, which further bolsters privacy and civil liberties safeguards. Specifically, EO 14086:
On July 10, 2023, the European Commission issued an adequacy decision which found that the EU-U.S. DPF, coupled with the protections outlined in EO 14086, adequately protect personal data and permit cross-border data transfers from Europe to the U.S.2
To participate, eligible companies must certify and publicly commit to complying with the EU-U.S. DPF Principles (“Principles”) (and/or the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. DPF Principles, as may be applicable), which sets forth detailed privacy requirements. These Principles provide guidance regarding key privacy and security requirements such as providing data subjects’ notice, choice and access to their personal data; accountability for onward transfers; data integrity and purpose limitations; and recourse and enforcement mechanisms. As of July 17, 2023, eligible companies may self-certify compliance with these Principles. To be eligible, participating companies must, among other things, meet the following requirements:
The EU-U.S. DPF provides a three-month transitional period for companies previously certified under the Privacy Shield. During this time, companies should update privacy policies to reflect the new EU-U.S. DPF requirements. These requirements must be met by October 17, 2023. Companies previously certified under the Privacy Shield may nonetheless immediately begin relying on the EU-U.S. DPF adequacy decision to receive personal data transfers cross-border. This transitional period does not extend to first-time applicants. Unlike previously covered companies, new applicants must wait for confirmation from the DOC before conducting data transfers.
Despite the recent adequacy decision, challenges to the EU-U.S. DPF are likely. For example, Max Schrem, the activist responsible for the invalidation of the Privacy Shield and its predecessor, the Safe Harbor program, has already announced plans to challenge the EU-U.S. DPF. While any legal challenge is ongoing, the EU-U.S. DPF will remain a viable transfer mechanism.
The EU-U.S. DPF will also be subject to periodic review by the European Commission. The first review will take place within a year of the entry of the adequacy decision. This review will seek to verify that the U.S. legal framework, and the new protections provided by EO 14086, are functioning effectively in practice.
The EU-U.S. DPF provides an important mechanism to support economic opportunity for companies of all sizes across all sectors of the U.S. economy, but future adjustments to the program are likely. Experienced data security and privacy counsel can guide companies through the certification process and advise about compliance requirements.
Our attorneys have a wealth of experience handling cross-border data transfer issues and are available to assess your website to determine whether your company is in compliance with the GDPR and other privacy authorities. For more information on this topic, please contact a member of the Data Privacy and Cybersecurity Industry Team or the Phillips Lytle attorney with whom you have a relationship.
1 “CJEU Invalidates Privacy Shield, Intl Data Transfers Under GDPR,” Phillips Lytle Data Privacy and Cybersecurity Client Alert, July 2020.
2 Companies can also self-certify compliance with the U.K. Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, which enables cross-border data transfers from those jurisdictions to the U.S. Participation in the U.K. Extension specifically requires participation in the EU-U.S. DPF.