Data transfers to the United States under the GDPR following adoption of the adequacy decision on 10 July 2023
On 10 July 2023, the European Commission adopted its adequacy decision for the new Trans-Atlantic Data Privacy Framework (“DPF”), concluding that the United States provides an adequate level of protection for personal data transferred from public and private entities in the EU/European Economic Area to U.S. organisations participating in the DPF.
Key elements of the DPF
Certification:
- To be eligible for certification under the DPF, an organisation must be subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DoT”).
- To certify under the DPF, eligible organisations must publicly declare their commitment to comply with a set of privacy principles issued by the U.S. Department of Commerce (“DoC”) (the “Principles”), make their privacy policies available and fully implement them. They must also submit certain information to the DoC.
- Participating organisations must re-certify their adherence to the Principles on an annual basis.
- Certified organisations can receive personal data on the basis of the DPF from the date they are placed on the DPF list by the DoC.
- The DPF will be administered and monitored by the DoC and compliance will be enforced by the FTC and DoT.
Transfers under the DPF:
- Personal data transfers from controllers and processors in the EU to DPF certified organisations in the U.S. may take place without the need to obtain any further authorisation.
- The DPF applies to any personal data (defined by reference to the GDPR) transferred from the EU to participating organisations in the U.S., with the exception of data that is collected for publication, broadcast or other forms of public communication of journalistic material and information in previously published material disseminated from media archives.
Principles of the DPF:
- The Principles generally align to many key obligations and rights under the GDPR. They include, amongst others, Notice, Choice, Security, Access, Data Integrity and Purpose Limitation Principles. The adequacy decision specifically calls out as a right not addressed in the DPF, the issue of decisions affecting the data subject based solely on the automated processing of personal data. Such decisions, it says, will “typically be taken by the controller in the Union (which has a direct relationship with the concerned data subject)” as confirmed by a study commissioned by the Commission in 2018.
- The Principles do not limit privacy obligations that otherwise apply under U.S. law and do not affect the application of the GDPR to the processing of personal data in the EU.
Intelligence activities and redress:
In its judgment in July 2020 in C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) the Court of Justice of the European Union (“CJEU”) decided that it was “impossible to conclude” that the EU-U.S. Privacy Shield could ensure a level of protection essentially equivalent to that guaranteed by the GDPR. To reach this new decision on adequacy, the Commission analysed U.S. law, including in particular, two recent U.S. enactments; U.S. Executive Order 14086 on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ adopted in October 2022, and a Regulation on the Data Protection Review Court issued by the U.S. Attorney General. Executive Order 14086 further particularises the grounds for collection of data and creates additional specifications for “bulk surveillance.” It establishes further mechanisms for redress to investigate and resolve complaints from European data subjects on access to data by U.S. intelligence authorities, to include a Data Protection Review Court (the second level of a two-tier redress system).
Notwithstanding these developments, the Commission retains the right to evaluate the DPF and suspend, amend or repeal it or limit its scope if it deems that the level of protection afforded by the U.S. is no longer adequate. The DPF will undergo regular reviews, including within one year after its entry into force, to verify whether all relevant elements have been fully implemented and are functioning effectively in practice.
The long tail of a data protection complaint- A brief recap
The DPF has been eagerly awaited in the wake of the Schrems II decision, which struck down the EU-U.S. Privacy Shield Framework and confirmed, in principle, the validity of the European Commission controller–processor Standard Contract Clauses (“SCCs”). The origins of Schrems II date back to 2013 when Maximillian Schrems, an Austrian national and Facebook user, filed a complaint with the Irish Data Protection Commissioner (“DPC”), requesting that Facebook Ireland be prohibited from transferring his personal data to servers owned by its parent company in the United States. His complaint, made following Edward Snowden’s leaks about U.S. National Security Agency surveillance in 2013, was on the ground that the law and practice in force in the US did not ensure adequate protection of his personal data held in the territory against the surveillance activities in which the public authorities were engaged.
Moving forward a decade, the DPC has now concluded its investigation into the basis upon which upon which Meta Platforms Ireland Limited (“Meta Ireland”) transfers personal data from the EU/EEA to the U.S. in connection with the delivery of its Facebook service. Its decision of May 2023 records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the U.S. following the Schrems II judgment. Among other corrective orders, the DPC imposed an administrative fine on Meta Ireland in the amount of €1.2 billion. It held that transfers on the basis of the updated SCCs that were adopted by the European Commission in 2021, in conjunction with additional supplementary measures that were implemented by Meta Ireland, did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment. Importantly, the DPC’s decision binds Meta Ireland only. The DPC recalls in its decision that the CJEU in Schrems II upheld the validity of the SCCs as a legal instrument, subject to a case-by-case assessment to determine whether, in any given case, data transfers to a third country conducted under their terms are lawful or not.
Chapter V tools
Opting into the DPF provides one mechanism for the transfer of personal data from the EU/EEA to the U.S. under the GDPR. Organisations will need to evaluate the different transfer tools available under the GDPR to ascertain which mechanism best suits their circumstances, always bearing in mind that the DPF may be subject to challenge before the CJEU in the same way that its predecessors were. Indeed, privacy activist group, NYOB, chaired by Max Schrems, has already signalled its intention to challenge the DPF.
For more information on alternative mechanisms, please see our briefings, including those on the updated SCCs, EDPB guidance on International Data Transfers and binding corporate rules. These are available here;
New SCCs with wider application introduced by European Commission
What are BCRs? – Arthur Cox LLP
The Aftermath of Schrems II – Examining the EDPB’s Draft Recommendations for International Data Transfers.)