U.S. organizations can now self-certify their compliance with the EU-U.S. Data Privacy Framework (DPF) to freely receive personal data from the EEA (with the UK and Switzerland expected to be added shortly).
Organizations that maintained certification under the old “Privacy Shield” regime (which was previously invalidated following European concerns) may begin relying immediately on the DPF but must update privacy policies by October 10, 2023.
There is a risk that the DPF will be challenged, so while this is a welcomed development, those self-certifying will need to keep a watching brief on this.

Under the General Data Protection Regulation (GDPR), personal data can only be transferred to a “third country” outside of the European Economic Area (EEA) (e.g., the United States) if: (i) there has been an “adequacy decision” issued by the European Commission (Commission) in respect of that country; (ii) “appropriate safeguards” are in place (such as standard contractual clauses (SCCs) or binding corporate rules (BCRs)); or (iii) a derogation applies. Similar rules apply in relation to transfers of personal data from the UK or Switzerland.

Since 2015, the Commission and the U.S. government have been struggling to find an arrangement to facilitate lawful transatlantic personal data flows between the EEA and the United States. Previously negotiated arrangements such as the “Safe Harbor” and “Privacy Shield” frameworks were both, in turn, declared invalid by the Court of Justice of the European Union (CJEU). In particular, in both cases, the CJEU found that the potential for the U.S. government to carry out “bulk” surveillance on EU individuals whose personal data had been transferred to the United States was incompatible with EU law.

The New DPF – Third Time Lucky?
On July 10, 2023, the Commission adopted its eagerly anticipated partial “adequacy decision” for personal data transfers to the United States. The Data Privacy Framework (DPF) permits transatlantic data transfers from the EEA (i.e., the EU plus Iceland, Liechtenstein and Norway) to certain U.S. organizations, provided they have self-certified and adhere to the applicable principles (DPF Principles). The DPF Principles are similar to the previous Privacy Shield principles and can be summarized as follows:

  • Notice: A self-certified organization must inform individuals (i.e., through a published privacy notice) about the types of personal data it collects, the purposes for which it collects personal data and the rights individuals have to access their personal information, amongst other things.
  • Choice: A self-certified organization must provide individuals with the opportunity to opt out of their personal data: (i) being disclosed to a third party; or (ii) being used for a purpose that is materially different from the purpose(s) for which it was originally collected. Details of how to do this should be contained in the privacy notice.
  • Accountability for Onward Transfers: To transfer personal data to a third party, a self-certified organization must first commit to entering into a contract with the third party that provides that such personal data will only be processed for a limited and specified purpose, that the third party will provide the same level of protection as the DPF Principles and that the third party will notify the organization if it makes a determination that it can no longer meet this obligation.
  • Security: Self-certified organizations must take reasonable and proportionate measures to protect personal data from loss, misuse and/or unauthorized access.
  • Data Integrity and Purpose Limitation: Personal data shared by the self-certified organization must be limited to the personal data that is relevant for the purpose of the processing.
  • Access: An individual must be able to access personal data about them held by the self-certified organization and be able to correct, amend or delete that personal data when inaccurate or collected in violation of the DPF Principles. The self-certified organization must make this commitment to the individual.
  • Recourse, Enforcement and Liability: A mechanism must be in place for ensuring compliance with the DPF Principles and recourse for individuals who are affected by non-compliance.

The Self-Certification Process – Steps to Follow
To be eligible for self-certification, an organization must be subject to the jurisdiction of either the Federal Trade Commission (FTC) or the Department of Transportation. This excludes some organizations from relying on the DPF and these entities will need to consider alternative personal data transfer solutions when receiving personal data from the EEA (such as SCCs or BCRs).

To rely on the DPF and receive personal data from the EU, U.S. organizations are required to self-certify their compliance with the DPF Principles.

A submission must be made to the U.S. Department of Commerce (DOC) by the organization. This submission must include the following key points:

  • The name of the organization and any subsidiaries adhering to the DPF Principles;
  • A description of the organization’s activities with respect to personal data received from the EEA under the DPF;
  • A description of the organization’s privacy policies for such personal information, including where these policies are available for public viewing;
  • A contact point within the organization for handling complaints, access requests and other issues arising under the DPF Principles;
  • The method of verification (i.e., self-assessment; or outside compliance reviews, including the third party that completes such reviews); and
  • The independent recourse mechanism(s) available to investigate unresolved complaints related to the DPF Principles.

Submissions should be made via the new DPF website, which launched on July 17, 2023.

An annual renewal fee is payable to the U.S. International Trade Administration for participating (which will vary depending on certain factors, e.g., the size of the organization).

An organization which did not certify under the old Privacy Shield regime may not claim DPF participation until the DOC notifies the organization that it may do so. Instead, the organization must provide the DOC with a draft privacy notice which is consistent with the DPF Principles when it submits its initial self-certification. Once the DOC has determined that the organization’s initial self-certification submission is complete, it will notify the organization that it should finalize/publish its DPF-consistent privacy notice and place the organization on the DPF List.

Conversely, an organization that previously self-certified under the Privacy Shield regime (and maintained that self-certification) will not need to make a separate, initial self-certification submission to participate in the DPF and may begin relying immediately on the DPF to receive personal data from the EU. However, it will need to update its privacy notice(s) to refer to the DPF Principles (rather than Privacy Shield) as soon as possible, and in any event, no later than October 10, 2023, otherwise re-certification will be required.

Potential Challenges?
Max Schrems, who successfully challenged both the Safe Harbor and Privacy Shield frameworks (in cases known as Schrems I & II), has already stated that he is mounting another challenge against the DPF. A key basis for this challenge is Schrems’ view that the redress mechanism for individuals is insufficient and that the DPF is simply a copy of Privacy Shield (which was itself a copy of Safe Harbor), with no real substantive change, especially with regard to bulk surveillance by U.S. security agencies.

What About the UK and Switzerland?
On June 8, 2023, the UK and U.S. governments announced they had reached a commitment in principle to establish a “data bridge,” which would operate as a UK extension to the DPF. If adopted, the data bridge would function as a partial adequacy decision under the UK GDPR, and U.S. organizations could extend their certification under the DPF to also receive UK personal information. A final decision on the UK data bridge is expected in the coming months.

In addition, a parallel Swiss-U.S. framework has been developed alongside the DPF, but this has not yet been implemented.

The DPF has created a much welcomed, new legal mechanism for transatlantic data transfers in compliance with the GDPR. It is a particularly positive development for large U.S. companies with large numbers of European customers or affiliates, who regularly receive personal data from across the Atlantic. The DPF offers a potential “silver bullet” to allow those transfers to flow freely without the need to have to consider other data transfer mechanisms (such as SCCs), data transfer impact assessments and the like.

However, should an organization look to utilize the DPF, given it is likely that the DPF will be challenged, they would be advised to maintain any SCCs contained in existing agreements and incorporate them in future agreements as a fallback position in the short- to medium-term, at least.

European organizations that wish to export personal data to U.S. organizations claiming to be self-certified under the DPF should also check the DPF List (hosted on the new DPF website) prior to the transfer to validate the self-certification. Contractual terms should also be included in any service agreements to require such U.S. organizations to maintain the certification or notify the European exporter if the certification is invalidated or expires.

The authors would like to thank trainee solicitor Oliver Gilliland for his contributions to this client alert.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.