The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF) on July 10th, enabling the free flow of personal data from the European Economic Area (EEA) to the United States.
Why is the DPF Framework Coming Now?
Due to Art. 45 GDPR, the European Commission has the power to determine whether a country outside the EU offers an adequate, "essentially equivalent" level of data protection to the EU. Adequacy means that the rules implemented in the third country are effective in practice. The main consequence of an adequacy decision is that, if it is adopted, the transfer "shall not require any specific authorisation".
When the European Court of Justice invalidated the previous adequacy decision in its Schrems II decision of July 2020, the European Commission and US government subsequently entered into discussions to develop a new framework which would address the issues raised by the European Court of Justice. In March 2022, an agreement was reached in principle and further to this, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities' in October 2022.
The Executive Order, in conjunction with the accompanying Regulations, introduced new binding safeguards to address the points raised by the European Court of Justice in its Schrems II decision of July 2020. The new obligations were designed to ensure that data can be accessed by US intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from individuals concerning the collection and use of their personal data for national security purposes.
In Article 1 of its adequacy decision on July 10th, the European Commission concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations in the United States that have certified compliance to the “EU-U.S. Data Privacy Framework Principles” (DPF Principles). The U.S. Department of Commerce will be maintaining a “Data Privacy Framework List” that is publicly accessible.
When Will the Decision Apply?
The adequacy decision entered into force on July 10th, 2023. While there are no time limitations, the Commission will be monitoring relevant developments in the United States and regularly reviewing the adequacy decision. The initial review will take place within its first year and it will verify that all relevant elements have been fully implemented in the US legal framework and are operating effectively in practice.
- Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
- Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
- The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.
Benefits of the DPF Framework
- Free flow of personal data from the European Economic Area to the United States;
- Adequate protection of personal data transferred to the United States, addressing the requirements of the European Court of Justice;
- Competitive digital economy and economic cooperation; and
- Continued data flows underpinning €900 billion in cross-border commerce every year.
Impact on Financial Institutions
While some legal challenges may still arise as occurred successfully on two previous occasions, the adequacy decision is binding which means that it must accepted as creating a valid mechanism for data transfers without the need to obtain any further authorization.
Data exporters based in the EU should be aware that the adequacy decision focuses on EU-U.S. data flows where the data importer in the United States is certified under the DPF. As such, data exporters relying on other mechanisms (i.e. Standard Contractual Clauses) should consider reassessing their Transfer Impact Assessments (TIAs) as a result of the changes introduced by this development.