The European Commission (“Commission“) has formally adopted its new adequacy decision for the EU-US Data Privacy Framework (“DPF“) under the General Data Protection Regulation (“GDPR“). The decision concluding that the US ensures an adequate level of protection for personal data transferred to organizations participating in the DPF.

The DPF, which was drafted in conjunction with the US Department of Commerce will allow for the transfers of personal data from the EU to the US without needing to put in place additional safeguards such as conducting transfer impact assessments and entering into the Standard Contractual Clauses.

The adoption of the DPF follows significant changes addressing the points raised by the Court of Justice of the European Union (“CJEU“) in the Schrems II case, where the previous Privacy Shield mechanism was invalidated. Notably, according to the Commission, the new obligations taken by the US, including under President Biden’s Executive Order 14086, ensure the establishment of independent and impartial redress mechanisms to handle complaints from European data subjects, concerning processing of their personal data by US law enforcement and national security bodies.

Similarly to its predecessors, the DPF does not apply to all data transfers to the US. In order to be eligible for certification of participation in the DPF, an organization must be subject to the investigatory and enforcement powers of either the Federal Trade Commission (“FTC“) or the Department of Transportation (“DoT“).

Organizations subject to the DPF will have to provide effective mechanisms to ensure compliance with the principles of the DPF and will have to self-certify their participation by committing to comply with a set of data protection obligations and principles. Among other things, organizations will be required to be transparent and provide notices about their participation in the DPF and their commitment to its principles; allow data subject to exercise their right of access, deletion and rectification; limit onward transfers of data; and provide appropriate internal and external redress mechanisms, including, at the organization’s choice, dispute resolution by the EU Supervisory Authorities or alternative independent dispute resolution programs. Additionally, in case of disputes the DPF allows data subject to invoke binding arbitration by a special DPF panel.

Organizations that were already certified under the Privacy Shield framework, are well positioned to self-certify under the DPF, with only minor changes required.

In addition, in order to get certified, organizations will have to submit either a self-assessment or outside compliance review of their adherence to the DPF principles.

Organization’s certification will need to be renewed on an annual basis.

The Department of Commerce will keep a public list of DPF members on its website and will also actively monitor compliance with the DPF. While participation in the DPF is voluntary, once committed effective compliance with the DPF will be compulsory and any failure to comply will be enforceable by either the FTC or the DoT, as applicable. Organizations that will persistently fail to comply may be removed from the DPF, which will bar them from benefiting from the DPF in the future.

Despite the fact that the adequacy decision only applies to organizations certified by the DPF, this new development will also affect data transfers not subject to the DPF, as the safeguards put in place by the US authorities will apply to all data transfers subject to the GDPR, regardless of the mechanism for transfer. This may affect the findings of transfer impact assessments and enable the facilitation of other tools, such as the Standard Contractual Clauses or binding corporate rules, to transfer data to the U.S.

Following the CJEU Schrems II decision, the European Commission will continuously monitor the situation in the US and the adequacy decision will be reviewed within one year. While the DPS will have significant impact on EU-US data flows, some uncertainty regarding the result of its expected legal challenges before the CJEU remains, given the invalidation of its predecessors, Safe Harbor and Privacy Shield, by CJEU.

Feel free to contact us if you have any questions about the effect of the DPF on your organizations data transfers to the US or about the practical steps to move forward with the certification process.