Commission Implementing Decision of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (“DPF Adequacy Decision”) is an official decision by the European Commission (“Commission“) confirming the secure nature of data transfers and the compliance of the recipient country, the United States (“USA”), with the data protection standards of the European Union (“EU”). This decision paves the way for the transfer of personal data from the EU to the USA. The Adequacy Decision, which will take immediate effect, provides a new legal basis for transatlantic data transfers from EU data exporters to USA data importers who have confirmed compliance with the principles of the DPF Adequacy Decision.
Data Privacy Framework List
According to Article 1 of the DPF Adequacy Decision, the USA will provide an adequate level of protection for personal data transferred from the EU to organizations in the USA that demonstrate compliance with the “EU-USA Data Privacy Framework Principles” (“DPF” or “DPF Principles“) and are listed in the “Data Privacy Framework List” maintained and publicly disclosed by the USA Department of Commerce. Personal data transfers covered by the DPF Adequacy Decision shall be safeguarded from the date of entry into the Data Privacy Framework List. The USA Department of Commerce will remove organizations from the Data Privacy Framework List voluntarily withdrawing from the EU-USA DPF or failing to complete their annual recertification. Organizations listed in the Data Privacy Framework List, however, must continue to implement the DPF Principles for the personal data they receive under the scope of the DPF Adequacy Decision and annually confirm their commitment to doing so to the USA Department of Commerce. If an organization is removed from the Data Privacy Framework List, it means that they will no longer have the right to benefit from the DPF Adequacy Decision for receiving personal data from EU. In this regard, they will be required to commit to providing “adequate” protection through another authorized mechanism (such as using Standard Contractual Clauses) for the personal data concerned in the transfer, or to undertake to return or delete the personal data.
Similar to the Privacy Shield and Safe Harbor frameworks in the past, the DPF Adequacy Decision is applicable only to transatlantic data transfers carried out under the DPF and does not encompass all transfers to USA recipients. However, the DPF Adequacy Decision provides address specific concerns regarding access by USA government agencies to personal data of individuals in the EU. The USA intelligence collection reforms also enable the investigation of personal data transferred under mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). Accordingly, transfers under these mechanisms can also benefit from the justifications provided by the DPF Adequacy Decision.
The Commission emphasizes that the DPF Adequacy Decision brings significant improvements compared to the mechanism previously existing under the Privacy Shield. In order to determine the adequacy of data transfers under the DPF, the Commission thoroughly evaluates the changes introduced under Executive Order 14086 (“Executive Order“) and concludes that the new binding measures address all concerns expressed by the European Court of Justice in the Schrems II decision.
- Regarding access to personal data by the USA government, the Commission acknowledges that USA laws include various limitations and measures concerning access to and use of personal data for law enforcement and national security purposes. It ensures the existence of surveillance and redress mechanisms that appropriately and proportionally restrict access by the USA Intelligence Community to EU data. Furthermore, the Commission notes that various USA institutions, such as the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Department of Homeland Security (DHS), have implemented policies and procedures addressing the concerns raised by the Court of Justice, as outlined in the Executive Order.
- Regarding options within the judicial redress framework, the Commission highlights that the newly established Data Protection Review Court (DPRC) is an independent court accessible to EU citizens. The DPF Adequacy Decision indicates that this new judicial mechanism can effectively be utilized by individuals within the European Economic Area due to the inclusion of the United States Attorney General designating the EU, Iceland, Liechtenstein, and Norway as “Qualified States” as of 30 June 2023.
The functioning of the DPF Adequacy Decision will be subject to periodic reviews conducted by the Commission, in coordination with representatives of European data protection authorities (“DPAs”) and authorized USA authorities. Pursuant to Article 3 of the DPF Adequacy Decision, the Commission must continuously monitor the implementation of the DPF Decision. When the Commission has indications that an adequate level of protection is no longer ensured, it may inform the authorized USA authorities and, if necessary, decide to suspend, amend, or revoke the adequacy decision, or limit its scope. The first review will take place in July 2024 to confirm the full implementation and effective functioning of all relevant elements of the Executive Order.
Self-Certification Mechanism
Under the Self Certification Mechanism, recipients in the USA who wish to implement the DPF Adequacy Decision must first confirm their adherence to the DPF Principles themselves. The DPF Principles present an updated and further validated version of the principles established under the Privacy Shield framework. Organizations that are already certified under the Privacy Shield must develop their privacy policies, define an independent recourse mechanism, and undergo self-certification accessible through the website https://www.dataprivacyframework.gov/s/ by the USA Department of Commerce to obtain a Self-Certification Certificate under the DPF. The DPF website also includes a list of certified companies, allowing data exporters based in the EU to easily verify if a USA data importer benefits from the protections within the scope of the DPF Adequacy Decision. Therefore, in the case of data flows from the USA to the EU, the submission of the Self Certification Certificate is required.
For transfers from the USA, organizations must engage in self-certification under the Self Certification Mechanism and undertake efforts to comply with the DPF Principles in order to benefit from the protections provided by the DPF Adequacy Decision. USA data importers should reflect their commitment to comply with the DPF Principles in their privacy notices no later than three months from the effective date of the DPF Principles, which is 10 October 2023. In this regard;
- Organization that are already certified under the Privacy Shield will be contacted by the USA Department of Commerce regarding potential re-certification steps and revisions to their privacy notices to account for the DPF Principles under the scope of the DPF Adequacy Decision.
- As an EU data exporter intending to transfer personal data under the DPF Adequacy Decision, it is necessary to check whether the recipient in the USA has been certified under the DPF Adequacy Decision and whether the relevant data transfers fall within the scope of this certification. This can be done by verifying the certification status of the USA recipient under the DPF Adequacy Decision on the DPF Adequacy Decision website before initiating the transfer.
Finally, as the DPF Adequacy Decision replaces the requirement for a Transfer Impact Assessment (“TIAs”) qualification assessment, a TIA will not be technically required for transfers covered by the DPF. However, existing TIAs (such as those prepared under Article 14 of the Standard Contractual Clauses) should be reviewed to account for changes in USA surveillance laws. The application of TIAs continues to be necessary for data transfers to the USA or other third countries that are not covered by the DPF Adequacy Decision.
You can access the DPF Adequacy Decision through this link.