Did Transferring Personal Data from the EU to the U.S. Just Get Easier?

On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (DPF) by adopting an “adequacy decision.” Adequacy decisions are one of the legal mechanisms under the EU’s General Data Protection Regulation (GDPR) for transferring personal data from the European Union (EU) to other countries which, in the eyes of the European Commission, offer sufficient privacy and data protection. The DPF adequacy decision recognizes that, although the United States has a different approach to data protection than the EU, personal data transferred to the U.S. under the DPF is considered to be adequately protected in line with the GDPR’s rules on international data transfers. The European Commission takes the position that personal data can flow freely and safely from the EU to U.S. companies that are participating in the new framework.

Transfers of personal data from the EU to the U.S. have generated much controversy over the past few years. In 2020, the Court of Justice of the EU invalidated the DPF’s predecessor, the EU-U.S. Privacy Shield, following a complaint by Austrian privacy activist Maximilian Schrems and his nonprofit organization NOYB (known as the Schrems II case). In the Schrems II case, questions were raised about how personal data of EU users of social network Facebook was available to U.S. authorities (e.g., the National Security Agency) in a manner that was considered incompatible with the EU Charter of Fundamental Rights. The Court of Justice was particularly concerned that U.S. intelligence agencies could access personal data from EU individuals beyond what is necessary and proportionate and that there was no independent and impartial redress mechanism to handle complaints from EU individuals.

In the wake of the Schrems II case, the European Commission and the U.S. government engaged in intense negotiations to set up a new and enhanced EU-U.S. data transfer structure—the DPF—that addresses the concerns of the Court of Justice. In support of this initiative, U.S. President Joe Biden signed an executive order that aims to provide additional protections for EU individuals whose personal data is transferred to the U.S., including:

• Data access limitations imposed on the U.S. intelligence community to ensure that they only access what is necessary and proportionate to protect national security.
• Enhanced oversight of the surveillance activities that U.S. intelligence agencies are involved in.
• The creation of a new, two-layered redress mechanism for handling and resolving complaints from EU individuals with concerns about the (potential) collection and use of their personal data by the U.S. intelligence community. The new mechanism features a low entry threshold: EU individuals will be able to submit complaints to their local data protection authority in their own language. The data protection authority will subsequently transmit the complaints to the United States, via the European Data Protection Board.

Following a lengthy assessment, the European Commission ultimately found that the additional data access limitations, safeguards, and redress possibilities that the United States has committed to implement in the context of the new framework suffice to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the DPF.

This means that, going forward, companies and organizations transferring personal data from the EU to the U.S. will have an extra legal “tool” for effectuating these transfers in accordance with the GDPR, provided that the data recipient in the U.S. is participating in the new framework.

U.S. companies can join the DPF by submitting an application for certification to the U.S. Department of Commerce, which will keep an updated list of participants.

As an additional benefit, the European Commission has confirmed that the new measures for the protection of EU individuals that have been put in place by the U.S. government will apply to all data transfers to companies in the U.S., regardless of the transfer mechanism used. Therefore, the new measures also facilitate data transfers based on the European Commission’s standard contractual clauses or intragroup binding corporate rules.

So, should all U.S.-based companies that receive personal data relating to EU individuals go and join the new framework? Not necessarily. The DPF may not be the most suitable solution for every data transfer scenario.

• To be able to join the DPF, a company or organization must be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC), the Department of Transportation (DOT), or another statutory body recognized by the EU. Businesses and organizations that fall outside the FTC’s or DOT’s authority will therefore not be eligible to participate in the new framework.
• Also, companies that want to rely on the new framework will have to publicly commit to comply with the DPF principles issued by the U.S. Department of Commerce and be able to demonstrate their compliance with these principles. There are seven key DPF principles that apply to every participating company and impose detailed data protection obligations, such as requirements around purpose limitation, data minimization, and data retention, in addition to obligations relating to data security and the sharing of (transferred) personal data with third parties. There are also 16 supplemental principles that may apply, depending on the data transfer scenario—for example, in the case of human resources data or if personal data from clinical trials conducted in the EU is transferred to the U.S. In order to ensure their adherence to the DPF principles, participating companies will have to implement a range of framework-specific compliance measures, such as:
  • DPF privacy notices to EU individuals whose personal data is transferred to the U.S. These notices will have to inform individuals about, for example, why the company collects and uses their personal data and to whom it may disclose the data.
  • Mechanisms for ensuring that EU individuals can access the personal data processed about them, and that they can correct, amend, or delete personal data that is inaccurate or processed in violation of the DPF principles.
  • Readily available, independent recourse mechanisms to investigate EU individuals’ complaints and disputes, at no cost to the individuals.
  • Onward transfer contracts with third parties that will be processing transferred data as independent controllers or as processors of the DPF-certified company.
  • Internal procedures for verifying their own compliance with the DPF (through self-assessments or external compliance reviews).

U.S. companies’ compliance with the DPF principles will be monitored and enforced by the FTC and DOT, which have an arsenal of remedies they can use in charging violations.

Companies in the EU that intend to transfer personal data to a company in the U.S. based on the latter’s DPF certification will also need to adjust their practices, including by implementing additional due diligence measures. They must verify on the DPF website that the “data importer” in the U.S. and the relevant transfer of personal data are properly covered by the listed certification. They must also ensure that relevant compliance documents (such as data processing agreements and privacy notices) are updated as needed to reflect the company’s reliance on the DPF as a data transfer tool.

In addition to the considerable compliance burden, companies that are considering relying on the new framework should also take into account that the DPF provides coverage for transfers of personal data to the U.S. only. If personal data will be transferred to recipients in the U.S. and in other parts of the world, it may be more efficient to use an alternative data transfer mechanism such as the European Commission’s standard contractual clauses or binding corporate rules.

Data Transfers Will Remain a Top Priority

In summary, businesses and organizations that regularly transfer personal data from the EU to the U.S. should carefully assess, on a case-by-case basis, whether it makes sense to rely on the new framework or to use one of the other data transfer tools that are available under the GDPR. They should also keep an eye out for further developments in this space.

Schrems and NOYB have already indicated that they are considering challenging the validity of the new framework, in front of the Court of Justice of the EU if needed. They appear to question, for instance, the effectiveness of the new redress mechanism and of possible outcomes of complaints that have been lodged against activities of U.S. intelligence agencies.

However, a legal challenge of the DPF is likely to take several years, during which the new framework will remain available as a valid data transfer tool. In any event, next year, the European Commission will conduct a review of the DPF to verify whether the U.S. measures and safeguards are functioning effectively.

One thing is certain: Transfers of personal data from the EU to the U.S. will remain high on the agenda of businesses, privacy organizations, and regulators in the EU.

Wim Nauwelaerts is the partner-in-charge of Alston & Bird’s Brussels office, leading the firm’s European Privacy, Cyber & Data Strategy Team. He can be reached at wim.nauwelaerts@alston.com.

This article first appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.