The EU Commission adopted today an adequacy decision for the EU-US Data Privacy Framework. As we indicated last month, this has been an area closely watched by those transferring data from the EU to the US. The issue has been a contentious one. Concerns in particular have been raised on the EU side regarding US surveillance agencies’ ability to access non-US individuals’ personal information. These concerns led to the downfall of both of the Framework’s predecessors: Safe Harbor and Privacy Shield.
Companies in the US that find themselves receiving European personal information can elect to participate in the new Framework program, operated by the US Department of Commerce. It is not mandatory, and other transfer mechanisms may exist. These include Binding Corporate Rules as well as Standard Contractual Clauses. To participate, among other things companies must publicly confirm that they will adhere to specific privacy obligations ranging from data minimization and retention to limits on data sharing. By making this public commitment, this gives standing for the FTC to bring enforcements under Section V of the FTC Act. The program will be reviewed on an ongoing basis by the EU to ensure it continues to meet “adequate” levels of protection, including the first review in one year.
In determining that the Framework program was “adequate,” the EU pointed to several elements of the program. This included that participating companies must give individuals rights similar to those under GDPR (access, correction, deletion). They must also offer a free dispute-resolution mechanism for mishandled information. Additionally, one of the key factors resulting in the program’s approval by the EU was the US’s establishment -through a White House Executive Order- of safeguards for use of non-US nationals’ personal information by US surveillance agencies. Under that order, there are limits on when such agencies can access this information, more oversight on their information collection and use activities, and an independent redress mechanism for individuals to use. Specifically, for this last, individuals can submit complaints to their domestic data protection authority: they do not need to bring the complaint in the US. Those complaints will then be sent by the EDPB to the US, which will have a “Civil Liberties Protection Officer” investigate. The investigator’s decisions can be appealed to a newly created “Data Protection Review Court.” The EU noted that these safeguards apply to all data transfers from the EU to the US “regardless of transfer mechanism used.” In other words, the EU indicated, they “facilitate the use of other tools” including standard contractual clauses and binding corporate rules. This should thus help companies who elect to use SCCs or BCRs as a transfer mechanism instead of joining the new Framework program.
Putting It Into Practice: For those who are interested in learning more about the Framework program, they can visit the Department of Commerce’s program site here. The Framework is not the only mechanism for transferring personal data between the EU and US. Given the fate of the prior programs, companies will want to work with their counsel and think carefully about whether this one is a good fit for them. They will also want to keep in mind the various principals to which they will be asked to publicly adhere, and ensure that they have processes and procedures in place to meet them.