US and EU Finalize New Data Privacy Framework

On July 10, the European Union and the United States finalized the EU-U.S. Data Privacy Framework (DPF), an agreement that allows for the transfer of personal data from residents of the EU to certified companies in the U.S. without the need for additional agreements such as standard contractual clauses (SCCs). The DPF is effective immediately and replaces prior agreements that were invalidated by the EU Court of Justice (see our prior alert). 

Transatlantic data flows support more than $7 trillion in cross-border trade and investments per year, and the DPF is the latest iteration of agreements that allow EU personal data to be shared with participating companies in the U.S. Previous versions of the agreement (known as the Privacy Shield and Safe Harbor) were invalidated by the EU Court of Justice in 2015 and 2020 through decisions informally known as Schrems and Schrems II. Since then, companies have largely relied on SCCs to transfer data, although the legal efficacy of using SCCs for transfers to the U.S. was unclear. Following a series of rulings from the EU Court of Justice that undermined existing transfer mechanisms, the EU and U.S. resumed negotiations for an acceptable DPF. The European Commission concluded in July 2023 that the DPF is adequate and ensures a level of protection for European personal data stored in the U.S. comparable to that provided in the EU.

In its decision, the European Commission highlighted that the new framework contains additional safeguards to address concerns previously raised by the EU Court of Justice.^[1] Those safeguards include limiting access to EU personal data by U.S. intelligence services, instituting a review process through the civil liberties protection officer to investigate individual complaints about data misuse, and creating a Data Protection Review Court (DPRC) to review the findings of the civil liberties protection officer. The DPRC, created by the U.S. Department of Justice, can also order remediations such as “deleting unlawfully collected data, deleting the results of inappropriately conducted queries of otherwise lawfully collected data, restricting access to lawfully collected data to appropriately trained personnel, or recalling intelligence reports containing data acquired without lawful authorization or that were unlawfully disseminated.”^[2] The DPF also provides individuals with the option to engage in arbitration as a mechanism of “last resort.”^[3]

Beginning on July 17, 2023, the U.S. Department of Commerce launched a new website through which companies can join the DPF. To comply, companies must self-certify and publicly agree to abide by the DPF Principles. Those principles largely follow the individual rights and company duties established by existing EU privacy laws and the 12 state privacy laws passed in the U.S. so far. Individual rights under the principles include the right to access, correct or delete data that is inaccurate or has been processed in violation of the principles; the right to receive notice of what data will be processed and the purposes for processing it, before the data is collected; the choice to opt out of processing that data for a different purpose, for targeted advertising or before disclosing it to third parties; and affirmative consent requirements for processing sensitive personal data. Company duties include transparency, data minimization, purpose limitation, data security and integrity, and accountability for transferring data to third parties. To maintain certification, companies are required to recertify annually.

Companies currently certified under the Privacy Shield have access to a simplified self-certification process (using the same login credentials as on the new DPF website) and should update their privacy policies as soon as possible, but no later than Oct. 10, 2023, to commit to compliance with the DPF Principles. Companies that are not certified can create an account and upload documents for certification but will not be allowed to publicly claim they adhere to the DPF Principles until their materials are verified by the Department of Commerce and they are listed as DPF certified on the website. The Federal Trade Commission (FTC) and the Department of Transportation (DOT) will be tasked with investigating compliance with the DPF Principles, and the DPF will be subject to periodic reviews, with the next review occurring in 2024.

Despite the DPF’s additional rights and protections, some privacy advocates still believe the DPF suffers from infirmities similar to those that plagued previous data transfer mechanisms. Notably, Max Schrems, chair of the advocacy group NOYB that successfully challenged the Privacy Shield and Safe Harbor agreements, expressed concern about the DPF. However, until a formal challenge is adjudicated in the EU Court of Justice, the DPF will govern data transfers between the EU and certified U.S. companies.

Companies that transfer EU resident data to the U.S. should update their privacy policies and procedures and consider becoming certified under the DPF. If you’re interested, please reach out to the Kramer Levin privacy team for additional assistance on how to comply with privacy laws or become DPF certified.

^[1] _{For additional information on the DPF, see the accompanying Questions & Answers page and fact sheet published by the European Commission.}

^[2] _{Commission Implementing Decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework, 191.}

^[3] _{Id.at 81.}