International: Commission adopts adequacy decision on EU-US DPF - what you need to know
The European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF) on July 10, 2023. Notably, the adequacy decision replaces the Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (the Schrems II Judgment), and follows the issuance of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the Executive Order) by U.S. President Joseph Biden. In this Insight article, OneTrust DataGuidance takes a look at the application of the EU-US DPF and what organizations hoping to utilize this mechanism should consider.
The adequacy decision provides that the EU-US DPF applies to certified organizations, subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and the U.S. Department of Transportation (DoT). Notably, organizations are subject to the EU-US DPF Principles upon certification, and will have to re-certify their adherence to the Principles on an annual basis.
'Personal data/personal information' is defined under the adequacy decision as 'data about an identified or identifiable individual that are within the scope of the General Data Protection Regulation (GDPR) received by an organization in the United States from the EU, and recorded in any form.' Likewise, 'processing' is defined in the adequacy decision as 'any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination and erasure or destruction.'
The adequacy decision clarifies that the EU-US DPF applies to organizations that qualify as controllers, namely a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data, or processors, agents acting on behalf of a controller. U.S. processors must be contractually bound to act only on instructions from the EU controller and assist controllers in responding to individuals exercising their rights under the Principles. In the case of sub-processing, a processor must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation.
Purpose limitation and choice
Personal data should be processed lawfully and fairly, collected for a specific purpose, and subsequently used only insofar as it is not incompatible with the purpose of processing. Further, before using personal data for a new purpose that is materially different but still compatible with the original purpose, or disclosing it to a third party, the organization must provide data subjects with the opportunity to object through a clear, conspicuous, and readily available mechanism.
Special categories of personal data
Organizations must obtain affirmative express consent from individuals to use sensitive information for purposes other than those for which it was originally collected or subsequently authorized by the individual, or to disclose it to third parties.
Data accuracy, minimization, and security
Data should be accurate and, where necessary, kept up to date. Data must also be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and in principle be kept for no longer than is necessary for the purposes for which the personal data is processed. More specifically, personal information may be retained in a form identifying or rendering an individual identifiable only for as long as it serves the purpose for which it was initially collected or subsequently authorized by the individual. Personal data should also be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Data subjects should be informed of the main features of the processing of their personal data. Notice must be provided in clear and conspicuous language when individuals are first asked to provide the personal data or as soon as practicable, but in any event, before the data is used for a materially different purpose than the one for which it was collected, or before it is disclosed to a third party.
Data subjects must have rights that can be enforced against the controller or processor, in particular the right of access to data, the right to object to the processing, and the right to have data rectified and erased.
The level of protection afforded to personal data transferred from the EU to organizations in the US must not be undermined by the further transfer of such data to a recipient in the US or another third country.
Entities processing data are required to put in place appropriate technical and organizational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.
The adequacy decision provides that the Department of Commerce (DoC) is responsible for administering and monitoring the EU-US DPF. To certify under the EU-US DPF, organizations must declare their commitment to the Principles, make their privacy policies publicly available, and fully implement them. The certification application must include the name of the relevant organization, a description of the purposes for which the organization will process personal data, the personal data the certification will cover, as well as the chosen verification method, the relevant independent recourse mechanism, and the statutory body that has jurisdiction to enforce compliance with the Principles.
Organizations can receive personal data from the date they are placed on the EU-US DPF list by the DoC but are not allowed to publicly refer to their adherence to the Principles before the DoC has determined the organization's certification submission is complete and added to the EU-US DPF list.
Regarding re-certification, the DoC will inform organizations that they must address all issues identified during the DoC's review with the FTC and DoT. In case organizations fail to respond within a timeframe set by the DoC (the expectation for re-certification would be that the process is completed within 45 days) or otherwise fail to complete its certification, the submission will be abandoned. The list of organizations will be made publicly available by the DoC and will be updated on the basis of an organization's annual re-certification submission and whenever an organization withdraws or is removed from the EU-US DPF.
Under the adequacy decision, the DoC will monitor organizations to verify, among other things, that organizations withdraw from participation in the EU-US DPF, fail to complete the annual re-certification process in a timely manner, or fail to start it. Where organizations fail to remove or improperly use references to the EU-US DPF, the DoC will inform organizations of a possible referral to the FTC/DoT.
Withdrawal from the EU-US DPF
The FTC and DoT are the competent US authorities for enforcement of the adequacy decision and have investigatory and enforcement powers to ensure compliance with the Principles. Specifically, the adequacy decision provides that the FTC can provide administrative or federal court orders for preliminary or permanent injunctions, or other remedies. Failure by organizations to comply with such orders ensures that the FTC may seek civil penalties or other remedies.
The adequacy decision notes that the FTC has recently taken enforcement action in a number of cases concerning compliance with data protection requirements also provided for by the Principles, including data retention, data minimization, data accuracy, data security, and purpose limitation.
In addition, the adequacy decision emphasizes that to ensure adequate protection and enforcement of data subject rights, data subjects must be provided with effective judicial remedies.
Firstly, organizations must put in place an effective redress mechanism to deal with data subject complaints. Accordingly, an organization's privacy policies must clearly inform individuals about a contact point, within or outside an organization, that will handle complaints. Organizations must respond to such a complaint within 45 days.
Secondly, individuals may also bring a complaint directly to the independent dispute resolution body designated by an organization to resolve individual complaints and to provide appropriate recourse free of charge. Independent dispute resolution bodies are required to include on their public website relevant information regarding the EU-US DPF and the services they provide under it.
Thirdly, individuals may bring their complaint to the national data protection authority (DPA) in the EU. Organizations are obliged to cooperate in a DPA's investigation when it concerns human resources data collected in the context of an employment relationship or when the respective organization has voluntarily submitted to the oversight of the DPA.
Fourthly, the DoC has committed to receive, review, and undertake best efforts to resolve complaints about an organization's non-compliance with the Principles. The DoC has provided special procedures for DPAs to refer complaints to a dedicated contact point to facilitate a resolution to customer complaints.
Fifthly, EU-US DPF organizations must be subject to the jurisdiction of U.S. authorities, namely the FTC, which prioritizes referrals of non-compliance with the Principles received from DPAs, the DoC, and independent dispute resolution bodies.
Finally, the adequacy decision notes that 'EU-US Data Privacy Framework Panel' acts as a recourse mechanism of last resort for an individual's complaints. Organizations must inform individuals about their ability to invoke binding arbitration and that they are obliged to respond once an individual has invoked this option by delivering notice to the concerned organization.
Criminal law enforcement
The adequacy decision stipulates that the activities of federal criminal law enforcement agencies are subject to oversight by various bodies. This includes the Privacy and Civil Liberties Officers within various departments with criminal law enforcement responsibilities, the independent Inspector General who oversees the activities of the Department of Justice, the Privacy and Civil Liberties Oversight Board (PCLOB), and the oversight provided by various Committees in the U.S. Congress.
Regarding the access and collection of personal data for national security purposes, the adequacy decision outlines that the Executive Order requires such activities to be based on statute or Presidential authorization and undertaken in compliance with U.S. law. Appropriate safeguards must also be in place to ensure privacy and civil liberties are integral considerations. Specifically, any signals intelligence activity may only be carried out 'following a determination, based on a reasonable assessment of all relevant factors, that the activities are necessary to advance a validated intelligence priority.' Likewise, such activities may only be conducted 'to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized.' The adequacy decision elaborates on avenues in the US available to EU data subjects to bring legal action before an independent and impartial tribunal. The Executive Order establishes the Data Protection Review Court (DPRC) to handle complaints from individuals concerning U.S. signals intelligence activities.
Further, the adequacy decision clarifies that the requirements laid down by the Executive Order are binding on the intelligence community, but that they must be further implemented through agency policies and procedures that transpose the into concrete directions for day-to-day operations. The Executive Order provides U.S. intelligence agencies a maximum of one year, from October 7, 2022, to update their existing policies and procedures.
On July 11, 2023, the U.S. International Trade Administration (ITA) issued an advisory following the adequacy decision. The advisory reminds that the Principles entered into effect on the same date and that organizations that have self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles, must update their privacy policies for compliance with the Principles by October 10, 2023.
However, organizations that have self-certified with the EU-US Privacy Shield do not need to make a separate, initial self-certification submission to participate in the EU-US DPF and may begin relying immediately on the EU-US DPF adequacy decision to receive personal data transfers from EU and EEA.
In addition, the ITA established that the Privacy Shield website will be taken offline on July 14, 2023, but that individuals with active accounts for the Privacy Shield program will be able to use their existing login credentials for the DPF website.
UK and Switzerland certifications
Eligible organizations that wish to self-certify their compliance to the UK Extension to the EU-US DPF may do so from July 17, 2023, but may not use this as a mechanism before the UK's adequacy regulations implementing the data bridge for the UK Extension to the EU-US DPF enter into force. The advisory clarifies that organizations that wish to participate in the UK Extension must also participate in the EU-US DPF. Similarly, the Swiss-US DPF Principles will enter into effect on July 17, 2023. Organizations that have self-certified their compliance with the Privacy Shield Framework Principles must comply with the Swiss-US DPF Principles including by updating their privacy policies by October 17, 2023. The advisory clarifies that such organizations may not begin relying on the Swiss-US DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration's anticipated recognition of adequacy for the Swiss-US DPF.
In conclusion, the adequacy decision establishes that the EU-US DPF ensures a level of protection for personal data transferred from the EU to certified organizations in the US that is essentially equivalent to that provided for by the GDPR. The adequacy decision considers the EU-US DPF Principles to provide effective oversight mechanisms and redress avenues to enable the identification and punishment of infringed data protection rules.
Harry Chambers Senior Privacy Analyst