EU-US Data Privacy Framework – at a glance

On 10 July 2023 the European Commission adopted an adequacy decision relating to the transfer of personal data from the EU to the US which takes place under the EU-US Data Protection Framework (the DPF). The DPF is the successor to the EU-US Privacy Shield (the Privacy Shield) and allows companies that participate in the DPF to transfer personal data freely to the US without the need for additional data protection safeguards (e.g. Standard Contractual Clauses or Binding Corporate Rules).

Changes to US Law

The changes introduced to US law by President Biden’s Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities' (EO 14086), and its accompanying regulation, were a key aspect of the European Commission’s adequacy decision. These instruments introduced various measures designed to address the deficiencies in US law identified by the Court of Justice of the European Union in Schrems II.

Some of the most significant measures introduced by these instruments include:

  1. the establishment of a new Data Protection Review Court to handle and resolve complaints from individuals relating to access to data by US authorities
  2. the introduction of binding safeguards which limit access to data by US authorities to what is necessary and proportionate to protect national security
  3. significant limitations on the ability of US authorities to engage in bulk collection of data.

DPF Key Details

  • Eligibility: To be eligible for certification under the DPF, organisations must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT). The adequacy decision issued by the European Commission suggests that organisations operating in the banking and insurance industries will be unable to avail of the DPF as they do not fall within the jurisdiction of either authority.
  • Certification: Unless organisations have continued to participate in the Privacy Shield, they will need to apply to the US Department of Commerce (DoC) for certification. Organisations can receive personal data on the basis of the DPF from the date they are placed on the DPF list by the DoC. Organisations that have continued to participate in the Privacy Shield can transition automatically by complying with the DPF and updating their privacy policies by 10 October 2023.
  • Re-certification: Organisations must annually re-certify their participation in the framework in order to continue to rely on the DPF.
  • Compliance obligations: Organisations that participate in the DPF will be required to comply with various data protection principles, the majority of which are very similar to the principles that applied under the Privacy Shield (e.g. purpose limitation, data minimisation and specific obligations concerning data security and the sharing of data with third parties).
  • Monitoring compliance: The DoC will monitor each organisation's compliance with the DPF on an on-going basis, using a combination of spot-checks and targeted audits (e.g. following reports from third parties). The European Commission will also monitor the DPF on an on-going basis and may suspend or repeal the adequacy decision if it determines (amongst other things) that US authorities have failed to comply with the DPF.
  • Enforcement: In the event that the DoC becomes aware that an organisation does not comply with the commitments under the DPF (e.g. following complaints), the DoC will require the organisation to complete a detailed questionnaire. Failure to provide satisfactory and timely responses to this questionnaire will result in the DoC referring the organisation to the relevant enforcement authority (i.e. the FTC or the DoT). The FTC can also initiate enforcement action of its own volition or based on referrals (e.g from EU Member States). 
  • List of participants: The DoC will maintain a publicly accessible list of organisations that are certified to participate in the DPF, which will be accessible here once activated.
  • Transfer Impact Assessments: Organisations that rely on the DPF as their basis for transferring personal data to data importers in the US will not be required to carry out a transfer impact assessment (TIA). If you intend to continue relying on the European Commission Standard Contractual Clauses (SCCs) for transfers to the US, a TIA will still be needed in accordance with clause 14(d) of the SCCs. However, organisations will be able to take account of the DPF’s findings on the adequacy of US law.
  • Impact on other transfer tools (e.g. SCCs): The safeguards introduced by EO 14086 and its accompanying regulation, apply to all transfers under the GDPR to data importers located in the US. In other words, they also apply to transfers carried out on the basis of the SCCs or Binding Corporate Rules.

For further information on the DPF, please contact any member of ALG's Commercial & Technology team.

Date published: 17 July 2023