This just in:
- The European Union adopted its “adequacy decision” for the European Union-U.S. Data Privacy Framework (“DPF”).
- The U.S. launched its process by which companies can “self-certify” to the DPF, for personal data transfers from the EEA.
- Approval is anticipated (but not finalized) for transfers from the UK and Switzerland.
- But, EU privacy advocates deride the efforts as mere “magic tricks,” and vow fresh challenges
(Need a refresher before diving in? See our blogs: December 2022 (draft EU adequacy decision), October 2022 (U.S. Executive Order etc.), September 2022 (EU contract terms), March 2022 (UK contract terms)).
EU Adopts Adequacy Decision – For Certified U.S. Entities
On July 10, 2023, the European Commission announced its Adequacy Decision as to EU-protected personal data transfers to certain entities in the United States – those that are eligible for, and self-certify under the DPF. See its Press Release.
Note the limitation on scope, in contrast to adequacy decisions that apply to an entire country (such as the EU’s adequacy decisions for Japan, the United Kingdom, etc.)
U.S. DPF Implementation Under Way
This followed the U.S. Secretary of Commerce’s announcement on July 3, 2023 that the U.S. had “fulfilled its commitments for implementing” the DPF. Specifically:
On June 30, Attorney General Merrick Garland designated the EU and the three additional countries making up the European Economic Area (EEA) as ‘qualifying states’ for purposes of implementing the redress mechanism established under Executive Order (EO) 14086 on Enhancing Safeguards for United States Signals Intelligence Activities. … Today, the Office of the Director of National Intelligence (ODNI) confirmed that the U.S. Intelligence Community has adopted its policies and procedures pursuant to EO 14086.
Then, on July 17, the U.S. Secretary of Commerce launched a comprehensive, International Trade Administration website for the DPF Program: www.dataprivacyframework.gov. It enables eligible companies to certify to the EU-U.S. DPF, and will similarly enable certification to the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (when their approval processes are completed).
To be certified, companies must satisfy a wide array of requirements (even scratching the surface is beyond the scope of this blog), and pay annual fees (for DPF participation, varying by annual revenue and number of jurisdictions, other fees for dispute resolution mechanisms). Note that not all U.S. companies may apply – to be eligible, companies must be subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation.
UK Extension – Commitment in Principle
Post-Brexit, the UK doesn’t automatically track the EU. But efforts are well under way to leverage the EU-U.S. DPF for UK-protected data transfers. On June 9, 2023, the U.S. Secretary of Commerce and UK Secretary of State for Science, Innovation, and Technology issued a joint statement announcing their commitment in principle to “establish a data bridge allowing for the free flow of data between organizations in the United Kingdom and participating organizations in the United States.”
This announcement represents the UK’s intent to establish a data bridge for the UK Extension to the U.S.-EU Data Privacy Framework, subject to the UK’s data bridge assessment and further technical work being finalized, and dependent on the U.S. designation of the UK as a qualifying state under Executive Order 14086. (Emphasis added).
Still Need Contractual Data Processing Terms? Yes.
Robust contract terms are required for transfers of personal data to the U.S. for processing, regardless of whether one or both parties is certified under the DPF. For example, Section 10 of its Supplemental Principles includes:
Data Processing Contracts
i. When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the EU-U.S. DPF.ii. Data controllers in the EU are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the EU-U.S. DPF. The purpose of the contract is to make sure that the processor:1. acts only on instructions from the controller;2. provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and understands whether onward transfer is allowed; and3. taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles. (Emphases added).
What about “Standard Contractual Clauses?”
What’s not additionally required, for transfers to companies certified under the DPF, are additional terms specific to the risks of cross-border transfer to the U.S. – those terms that form part of the European Union’s Standard Contractual Clauses (“EU SCCs”) (notably, transfer impact assessments), and the UK’s International Data Transfer Agreement and UK Addendum to the EU SCCs.
But, expect contracting parties to still see transactions with these cross-border terms/requirements. Why:
First, countless existing transactions are subject to contractual cross-border transfer terms (such as the EU SCCs). Contracts may or may not (depending on their terms) get updated to reflect the DPF, unless/until they renew (if then).
For new transactions, parties will need a cross-border transfer mechanism (such as the EU SCCs) to transfer personal data to U.S. entities that can’t make use of the DPF (for example, because they are not within FTC or DOT jurisdiction), or choose not to get certified under the DPF (for example, because of cost, burden, wait-and-see attitude, or otherwise), or have applied but have not completed certification. And, some contracting parties may insist on contractual cross-border terms (such as the EU SCCs) even where the U.S. entity is self-certified under the DPF (for example, given level of risk tolerance, entity preferences, belt-and-suspenders approach, etc.)
Still, the U.S. governmental changes (policies, procedures, redress, etc.) can and should be factored into contractual data processing risk assessments, notably the transfer impact assessments required by the EU SCCs. The U.S., European Commission, and UK voiced the opinion that the U.S.’ new safeguards do strengthen contractual mechanisms for cross-border personal data transfers:
The European Commission explained in its Adequacy Decision Press Release:
The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules. (Emphasis added).
And the U.S. Secretary of Commerce observed:
We expect this [EU Adequacy Decision] will also facilitate transfers through other EU legal mechanisms, including Standard Contractual Clauses and Binding Corporate Rules. (Emphasis added).
Similarly, the U.S. and UK “expect that the establishment of the data bridge will also further facilitate transfers to U.S. organizations that rely on other data transfer mechanisms under UK law.” (Emphasis added).
Waiting for … Schrems III
Transfers relying upon the DPF (whether because a party is certified, or in transfer impact assessments), are still subject to scrutiny by the Court of Justice of the European Union (“CJEU”). And, the CJEU famously rejected both prior trans-Atlantic data flow efforts.
Privacy advocacy organization noyb (for which activist Mr. Schrems is honorary chair) already announced its view that the DPF remains insufficient:
noyb has prepared various procedural options to bring the new deal back before the CJEU. We expect the new system to be implemented by the first companies within the next months, which will open the path towards a challenge by a person whose data is transferred under the new instrument. It is not unlikely that a challenge would reach the CJEU by the end of 2023 or beginning of 2024. The CJEU would then even have the option to suspend the “Framework” for the time of the procedure. (Emphasis added).
Time will tell …. (Keep an eye on the DPF website for updates).
Kathy O’Sullivan, Esq., CIPP/E, CIPP/US
Looking to learn about information technology contracts? Tech Contracts Academy offers public and in-house trainings.
© 2023 by Kathy O’Sullivan and Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock images.