EU GDPR Adequacy Decision for EU-USA DPF

10 July 2023: EC adopts adequacy decision for the EU-US Data Privacy Framework!

Here’s the announcement and here’s the 137-page DPF adequacy decision.

The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

USA is back online! (for the EEA)

It’s just 6 days shy of 3 years since the Privacy Shield adequacy decision was torn down by Europe’s highest court in the Schrems II decision of 16 July 2020. It took them long enough but now we have a replacement to Privacy Shield , the interestingly named (we’ll come back to that) Data Privacy Framework, or DPF.

What’s been changed?

The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.

While the rules companies sign up to under DPF are an iteration of the rules under Privacy Shield, the big 2 changes are to the main 2 criticisms in Schrems II:

• government access to personal data – ‘Access to data is limited to what is necessary and proportionate to protect national security‘
• ‘EU individuals will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC). The Court will independently investigate and resolve complaints, including by adopting binding remedial measures.’

Was this unanimous?

Not all the way. Back on Valentine’s Day 2023, the EU Parliament’s LIBE Committee wanted to reject the decision, and we’ve logged the history here, but the passage has often been bumpy for adequacy decisions and the 6 July 2023 vote had 24 member states vote in favour, none against and 3 abstaining.

Why the name’s interesting

OK, without making too much of this, the usual term in Europe is Data Protection. GDPR is a Data Protection law, not a Privacy law. Data Protection is also a term from Security with nothing to do with Privacy (other than the Security aspect).

The term Data Privacy has been popular in the USA but – to be honest – has attracted some criticism from some UK / EU Privacy pros even as its usage has increased ‘over here’. So it’s great to see that we’re not standing on ceremony here, as we all know what this is actually about.

And let’s face it – Privacy pros here call themselves Privacy pros not Data Protection pros so, glass houses.

And for practitioners?

Chapter V of EU GDPR sets out the safeguards, or transfer tools, that you can use to send or make personal data available outside the EEA, such as to the USA. There’s a definite pecking order and you have to follow it:

1. an adequacy decision available under Art 45 trumps all,
2. if one isn’t available, then you look at a safeguard under Art 46, which basically means the official EU Standard Contractual Clauses (SCCs).

(Yes, there’s Binding Corporate Rules and then other safeguards if none of this is available but, in practice, you either go with the adequacy decision or SCCs. There are fewer than 200 groups with BCRs approved and Privacy Shield had over 5,000 self-certified organisations, so there’s a clear winner.)

Adequacy decision = no TIA, all systems go

When there’s an available adequacy decision, you can stop there on the transfer part – you still need to consider all other rules under GDPR and other applicable laws, but you don’t need to perform a Transfer Impact Assessment (or TIA).

As Privacy Shield has been maintained since Schrems II, and many companies remained self-certified to Privacy Shield’s rules, it’s going to be very rapid for US organisations such as Microsoft, Google, Meta and Salesforce to transition to the DPF.

That means transfers from customers and subsidiaries in the EEA to these organisations in the USA will be valid under EU GDPR – which puts an interesting spin on the recent record €1.2bn fine on Meta for such transfers by Ireland’s DPC, and the recent €1m fine on Tele2 for using Google Analytics from Sweden’s DPA because of the transfer to the USA.

So you now just need to check your US supplier is in DPF and the transfer part is done.

Benefits for SCCs too

If your US supplier isn’t in DPF, today’s adequacy decision still helps you. As the EC announcement states:

The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules.

This means that, if you do need to do a TIA, you can refer to the DPF adequacy decision as a conclusive finding by the EC that the 2 big protections introduced in the USA by the related Executive Order are applicable to transfers under your SCCs and provide suitable restrictions on government surveillance plus suitable redress for EEA data subjects.

This makes any needed TIA for the USA also super simple.

And Brexit? I mean, the UK?

Well, the UK is now clear to race ahead with its own adequacy finding, safe in the knowledge that will not jeopardise the UK’s own adequacy decision under EU GDPR. Well done UK! We’ll get the benefit of this same structure after those in the EEA get the benefit.

This also applies to any country with an adequacy decision under EU GDPR, which are free to piggy back today’s decision by the EC.

What about Max?

Max Schrems’s not-for-profit, NOYB, has already stated it is going to file complaints as soon as transfers are made referencing the DPF, to push for a third Schrems decision at the CJEU, to bring down the DPF.

We’ll have to leave the end decision to Europe’s top court. However, there’s no doubt the Executive Order that brought in the US changes for DPF represents a step change in data protection for EEA data subjects in the USA. This is in the context of several states, led by California, bringing comprehensive GDPR-lite data protection laws onto their statute books with more guaranteed to join them soon.

The US legal environment is definitely changing. Whether that’s enough for the CJEU we’ll only know when the case gets there. But at least we have a few years of certainty, which is very welcome.

And given the tumult Brexit has caused for us Brits, we can’t wait for the corresponding UK-US decision under UK GDPR.

Know your transfers?

See how Keepabl’s award-winning Privacy Management Software surfaces all your transfers under UK and EU GDPRs so you can make sure your compliance stance is uptodate and defensible.

Get your demo today!