With the adoption of the EU-U.S. Data Privacy Framework, European and U.S. organizations and privacy professionals are facing a new framework for data transfers across the Atlantic. Focus is quickly turning to implementation and what's next.
"The reason this is all so important is that data flows and the transfers of personal data are a key enabler for basically all elements of the transatlantic economic relationship. It's something so fundamental that it really underpins all elements of commerce and trade investment between the United States and Europe," U.S. Department of Commerce DPF Director Alex Greenstein recently said. "That's the biggest economic relationship in the world, and that's why this has been such a priority for the Biden administration and for the EU."
The European Commission adopted its adequacy decision for the EU-U.S. DPF 10 July, days after the U.S. announced the completion of commitments under President Joe Biden's executive order concerning the framework.
"The crucial element is that the commission has decided that the efforts made by the U.S. government will be good enough to fence off yet another challenge in the Court of Justice of the European Union," Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said. "In particular, the changes introduced by the U.S. intelligence community and the new redress mechanism are now seen as robust enough, which is not a small matter given the pressure that the commission is under to get it right this time."
'A significant step forward'
Following the CJEU's invalidation of the DPF's predecessor, the Privacy Shield, three years ago in the "Schrems II" case, companies have turned to alternative transfer mechanisms including standard contractual clauses and binding corporate rules.
The European Commission's Bruno Gencarelli said the safeguards developed within the DPF, including national security commitments from the U.S. and its redress mechanism with the creation of the Data Protection Review Court, have been designed to apply to "any transatlantic data flow regardless of the instrument to use."
EU organizations using alternative mechanisms like SCCs and BCRs can now show on transfer impact assessments that requirements around national security and government access are fulfilled and compliant under the DPF's enhanced protections, Gencarelli said.
"That's very important for stability of the data flows and legal certainty for those organizations," he said.
Greenstein said companies should review transfer mechanisms with their legal counsel, and also consult their supervisory data protection authorities on any changes that may need to be made, but noted the adoption of the DPF "reflects an endorsement" that it "meets the standards for adequacy" in the EU General Data Protection Regulation.
"So that is a very significant step forward, which addresses the concerns raised in the 'Schrems II' decision, and I certainly think that should be taken into account as companies try to use the standard contractual clauses," Greenstein said. "But, certainly, (companies) need to consult with their supervisory DPAs about what that means in practice."
On 17 July, the U.S. Department of Commerce launched the Data Privacy Framework program website, where U.S.-based organizations can submit for self-certification and find information on participating companies, the history leading to this point, and more.
According to the department's guidance, organizations that remained certified to the Privacy Shield must comply with the new EU-U.S. Data Privacy Framework principles by 17 Oct. Organizations may begin relying immediately on the DPF adequacy decision to receive personal data transfers from the EU and European Economic Area, it said.
The three-month transitional period is built in for companies previously certified under the Privacy Shield to update privacy policies to reflect the new Data Privacy Framework, and for those looking to self-certify to begin the process, Greenstein said. For previously certified companies, privacy policy updates will signal a statement of compliance without having to resubmit for certification, he said.
For companies looking to withdraw from the Privacy Shield, and not participate in the DPF, Greenstein said the program's website includes information on a formal withdrawal process.
Those new to the framework can initiate the self-certification process online. They'll be required to provide details about their privacy policy, reasons for data transfers, reporting mechanisms and more. Once they receive confirmation from the Department of Commerce, Greenstein said companies can proceed with data transfers under the DPF.
Legal challenges likely
The guidance is coming as privacy advocate Max Schrems, who successfully challenged the DPF's predecessors, has already confirmed his group NOYB will be pursuing a legal challenge. Greenstein said the Department of Commerce and European Commission are "fully aware" of anticipated challenges, but are confident the framework meets the required mandate set by the CJEU in "Schrems II."
"That was really our goal, in conjunction with the commission, was to really craft something that directly addressed the concerns raised by the court and so I think we did a pretty good job of that," he said. "We had to work under certain constraints in terms of what we could do within the U.S. law and Constitutional framework, but I think that also let us be very creative, and work very closely with the Commission to understand what the obligations were that the court put out there and also how to use what we have available in the United States to meet those."
Gencarelli reiterated that the European Commission believes "we can credibly defend this framework."
"Why I'm saying that is because there's a difference this time," he said noting lessons learned and issues addressed through "Schrems I" and "Schrems II."
"This is a very complex area of law, but we could negotiate on the basis of specific requirements and therefore we will also be able to defend this framework if it is challenged in light of those requirements," he said.
What's ahead
Gencarelli said there is potential for future EU-U.S. data transfer mechanisms tailored to specific sectors currently excluded from the scope of the DPF, for instance the financial services and health industries.
He also said additional adequacy arrangements between countries can be expected, noting the EU is in adequacy talks with Brazil and other Latin American countries, and talks are ongoing to extend the scope of the EU-Japan adequacy decision to include the Japanese public sector and research organizations.
In the U.S., there is potential for state-level collaboration, Gencarelli said, pointing to California where EU Commissioner for Justice Didier Reynders this week met with members of the California Privacy Protection Agency.
"Whether there is a possibility to go deeper with certain systems, for instance privacy frameworks that have been adopted by states, that's legally possible," he said. "California has certainly expressed interest in looking at that possibility, and that's something that is absolutely not excluded."
While there has been conversation around federal privacy legislation in the U.S. for a long time, Gencarelli said enacting a federal law "that would offer strong safeguards" could also, "depending on its content," potentially "extend the scope of the Data Privacy Framework."
"This is an example of how compared to a few years ago, we are much closer. The need for rules of the game on privacy is recognized on both sides of the Atlantic and in developing that federal privacy legislation, probably certain principles — in terms of individual rights, purpose limitation, protection of sensitive data — of the Data Privacy Framework could be a good source of inspiration. It would be good to see that those requirements of the Data Privacy Framework are consolidated, codified in legislation that applies across the board," he said.