On July 10, 2023, the European Commission adopted its adequacy decision for the EU – U.S. Data Privacy Framework (“EU-U.S. DPF”) which provides organizations with another mechanism for lawfully transferring EU personal information to the United States.
The EU – U.S. Data Privacy Framework replaces EU – U.S Privacy Shield Framework (“Privacy Shield”), which was invalidated by the European Court of Justice (“CJEU”) on July 16, 2020, in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (also referred to as “Schrems II”). In its decision, the CJEU cited issues with Privacy Shield’s redress mechanism for EU individuals and with the U.S. intelligence services collection and use of personal information. To help address the concerns raised by Schrems II, the Biden administration issued Executive Order 14086 in October 2022, requiring U.S. national security agencies to implement new safeguards for the collection and use of personal information in signal intelligence activities and establishing a redress mechanism for individuals related to signals intelligence collection and U.S. activities. This redress mechanism is available via the Data Protection Review Court, which was established by the U.S. Attorney General via regulation on October 7, 2022.
In addition to the EU-U.S. DPF, the Swiss – U.S. Data Privacy Framework (“Swiss DPF”) will enter into force on July 17, 2023, but may not be relied upon until the Swiss Federal Administration recognizes the Swiss DPF as an adequate transfer measure.
Finally, U.S. based organizations can self-certify to the UK Extension to the EU-U.S. DPF (“UK Extension”) beginning on July 17, 2023, but may not rely on the UK Extension for UK and Gibraltar transfers until the United Kingdom’s adequacy regulations implementing the data bridge for the UK Extension are in force.
Next Steps
For organizations that have already certified to the EU – U.S or Swiss – U.S. Privacy Shield Framework:
· U.S.-based organizations who certified to the EU – U.S. Privacy Shield Framework Principles are automatically certified to the new EU - U.S. Data Protect Framework (“EU-U.S. DPF”). This will require these organizations to comply with the new DPF Principles, including making updates to privacy policies, by October 10, 2023.
· U.S.-based organizations who certified to the Swiss – U.S. Privacy Shield Framework Principles are automatically certified to the new Swiss DPF. This will require these organizations to comply with the new Swiss DPF Principles, including making updates to privacy policies, by October 17, 2023. Note, that organizations cannot rely on the Swiss DPF for transfers until the Swiss Federal Administration formally recognizes the Swiss DPF as an adequate measure.
· Organizations that wish to withdraw from their prior self-certification (and not be automatically certified to the EU-U.S. DPF and/or Swiss DPF) must follow the withdrawal procedures currently described in Section (f) of the Supplemental Principle on Self-Certification. Note that those who withdraw will have ongoing obligations to protect personal data previously collected under their prior self-certification per those prior principles.
For new certifications:
· U.S.-based organizations that have not previously self-certified to the EU-U.S. DPF or Swiss DPF can submit self-certifications beginning on July 17, 2023, via the Dept. of Commerce, International Trade Association’s (“ITA”) new EU-U.S. DPF website.
· U.S.-based organizations can begin self-certifying for the UK Extension on July 17, 2023, (but must wait for implementing regulations to begin transfers) via the same ITA website.
What to Consider Before Certifying:
As with the Privacy Shield Framework, the EU-U.S. DPF, Swiss DPF, and UK Extension will require organizations to self-certify compliance with the Data Protection Framework Principles (“DPF Principles”). The text for the final DPF Principles is available in Annex 1 to the adequacy decision and is expected to be available on the new ITA website.
In addition to compliance with Framework Principles, organizations should also consider the following before submitting its certification request:
· Eligibility – U.S. organizations that are subject to the enforcement powers of the Federal Trade Commission (FTC) or U.S. Department of Transportation can participate in the EU-U.S DPF, Swiss DPF, and UK Extension.
· Compliant Privacy Policy Statements – U.S. organizations will need to ensure their privacy policy statements adhere to the “Notice” principle described in the DPF Principles, including:
o a statement on the organization’s participating with EU-U.S. DPF, Swiss DPF, and/or UK Extension (as applicable), including a link to the ITA website;
o the types of personal information collected and, where applicable, the U.S. entities or subsidiaries also adhering to the Principles;
o the purposes for which the organization collects and uses personal information;
o the right of individuals to access their personal information and the choices they can make for limiting the use and disclosure of personal information;
o the type or identity of third parties to which the organization discloses personal information and the purposes for such disclosure;
o details regarding the organization’s independent dispute-resolution body designed to address complaints and provide recourse free of charge (e.g., panel established by Data Protection Authorities, alternative dispute resolution provider based in the EU, or an alternative dispute resolution provider based in the U.S.);
o a statement regarding the organization being subject to the investigatory and enforcement powers of the FTC, DOT, or other U.S. authorized statutory body;
o the possibility, under certain conditions for an individual to invoke binding arbitration;
o that the organization may be required to disclose personal information in response to lawful government requests; and
o the organization’s liability in cases of onward transfers to third parties.
It is important to note an organization is not permitted to claim participation in any of the Data Privacy Frameworks in its published privacy policy (or other public statements) until it receives a notification from the ITA that the submission is complete.
· Compliance Verification Mechanism – All organizations who self-certify to the Framework Principles must be able to demonstrate their compliance either via a self-assessment or via third-party assessment. Organizations should ensure they can comply with and document proof of this verification requirement.
· Designated Contacts – Ensure that there are at least two designated contacts to respond to issues that may arise, at least one of which is a corporate officer. Under the Privacy Shield Framework, organizations were required to respond to complaints within 45 days.
· Track Recertification Date and Requirements – Organizations must recertify compliance with the Framework Principles annually, including payment of the fee (based on the organization’s annual revenue).
For information on how to meet your current obligations under the new Framework Principles or to submit a new certification, please contact your Hintze Law attorney contact or Jennifer Ruehr at jennifer@hintzelaw.com.
Jennifer Ruehr, Partner with Hintze Law and head of the Employment Privacy Group, counsels retail, technology and e-commerce clients on global privacy, cyber-security, and related data technology and transactional matters.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, AI, and mobile industries in all aspects of privacy and data security