After more than a year since the first announcement of the Trans-Atlantic Data Privacy Framework, the European Commission has adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) on 10 July 2023, which entered into force with immediate effect. Transfers to US companies signed up to the DPF will be now considered “adequate” for transfers outside of the EEA.

Safeguards 

The new adequacy decision comes nearly 3 years after the Schrems II decision in July 2020, which invalidated the Privacy Shield as a legitimate way to transfer data between the EU and the US. (For more detail on the Schrems II decision see our article here). The DPF seeks to address the concerns in the Schrems II decision by introducing new binding safeguards to limit access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court, which will independently investigate complaints lodged by Europeans.

Self-certification

Under the DPF, US companies can self-certify their participation by committing to comply with a detailed set of privacy obligations, which unsurprisingly align with GDPR-esque principles. Companies currently self-certified under the Privacy Shield Framework will have access to a simplified procedure for self-certification under the new DPF. As this decision is considered a partial and conditional adequacy decision, those self-certified companies can receive EU data without having to carry out risk assessments and/or put in place additional supplementary measures. You can find more information on the self-certification process via this DPF website, and we expect there to be a rush of applications to certify by eligible US companies, especially large US service providers and B2C/e-retailers who service lots of clients and customers in the EU.

UK-US transfers

The adequacy decision only covers transfers from EU to US, but we should expect the focus to now be on UK-US adequacy, with a similar process for the UK to become a “qualifying state”. Our understanding is that the ICO is preparing its opinion on the UK-US data bridge, which will need to be approved by the UK Government, and that the data bridge will be very similar in nature to the EU-US deal.

Does this solve everything?

Not quite – not all US companies can take advantage of the DPF. Only those that are subject to the investigatory and enforcement powers of the Federal Trade Commission and Department of Transportation can certify under the DPF. Certain manufacturing and financial services companies, for instance, are not eligible, and so will still need to use transfer mechanisms such as Standard Contractual Clauses.

Further, this DPF only covers transfers to the US. Transfers outside of the EEA/UK to non-adequate countries will still require data exporters to put in place lawful transfer mechanisms as well as carry out transfer risk assessments and where necessary put in place supplementary measures. Therefore, the headache still very much exists for non-US transfers.

Overall, the adequacy decision is a positive outcome and will be welcomed by businesses as it will provide legal certainty in respect of their data transfers both from the EEA (and soon hopefully the UK) to the US. Indeed, we suspect we will see a flurry of EU (and likely UK) organisations as well as large US companies such as Meta, Amazon and Microsoft, to now swiftly incorporate the DPF into their US transfer documentation as part of yet another re-papering exercise. However, while this a step in the right direction, Max Schrems and noyb have already panned the DPF as “largely a copy of the failed “Privacy Shield”” that doesn’t go far enough to address the Schrems II “fundamental” surveillance issues and “expect this to be back at the Court of Justice by the beginning of next year”. Therefore, it will not come as a surprise to anyone to see Schrems III on the horizon soon. Let’s hope we at least get a summer off!