After years of negotiations between EU and US officials, the EU Commission adopted a decision on 10 July 2023 to enact the DPF (C(2023) 4745). On 17 July, the US Department of Commerce officially launched the DPF website dataprivacyframework.gov allowing businesses on both sides of the Atlantic to retrieve information on DPF certifications.

About the DPF and Its Legal Background

The DPF includes a number of safeguards and redress mechanisms to protect individuals‘ rights and ensure that personal data transferred from the EU to the US is adequately protected, in line with the requirements of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR).

Art. 44 et seqq. of the GDPR aim to make sure that European standards with respect to the protection of personal data are respected even if personal data are transferred to countries outside the EU or the European Economic Area. Data exporters remain responsible for GDPR compliance and must select one of a limited number of applicable mechanisms to ensure an adequate level of data protection. The swiftest way of doing so is relying upon an EU Commission decision (like the DPF) confirming such adequacy for a given country (Art. 45 of the GDPR).

The EU Commission previously had adopted an adequacy decision for the US, the so called Privcacy Shield. However, the Schrems II decision of the European Court of Justice (ECJ, judgment of 16 July 2020 – C-311/18) confirmed that US law did not provide adequate protection for personal data transferred from the EU to the US. The ECJ found that US law did not ensure a level of protection that is essentially equivalent to the level of protection guaranteed by EU law, particularly with respect to government access to personal data. Hence, the ECJ nullified the adequacy decision.

In light of the concerns raised by the Schrems II decision, the Commission has taken steps to ensure that personal data transferred from the EU to the US is adequately protected. The DPF is one such step, and it is designed to provide a mechanism for the transfer of personal data from the EU to the US while ensuring that the data is adequately protected, and that individuals‘ rights are respected. The DPF includes a number of safeguards, including independent recourse mechanisms and oversight by EU data protection authorities, to ensure that personal data transferred from the EU to the US is adequately protected.

What concerned the ECJ the most in the Schrems II judgment were the signals intelligence activities under FISA 702 and EO 12333. On 7 October 2022, the U.S. President issued EO 14086 on Enhancing Safeguards for United States Signals Intelligence setting limitations and safeguards for all U.S. signals intelligence activities. Safeguards such as transparency, oversight, and accountability requirements are designed to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and that individuals‘ privacy rights are respected.

Self-Certification under the DPF

As under the Privacy Shield, US companies can self-certify to qualify under the DPF. The self-certification process is voluntary, but it is the only mechanism available for US companies to receive personal data from the EU under the DPF. If a US company does not self-certify, it cannot receive personal data from the EU under the DPF.

Once an organization has self-certified, its certification remains valid for a period of one year. After that, the organization must re-certify to the DPF to maintain its certification.

To participate in the DPF, organizations must self-certify that they meet the requirements of the DPF. Annex V of the Commission decision sets out the certification requirements for US organizations that wish to self-certify under the DPF. These requirements include a number of obligations related to transparency, accountability, and cooperation with EU data protection authorities. Organizations must also provide detailed information about their data processing activities and must submit to independent recourse mechanisms. Dataprivacyframework.gov provides more detailed information on the requirements and the procedural aspects of self-certification.

Many US companies (including Amazon or Microsoft)  their Privacy Shield Certification and re-certified although it did no longer suffice to establish GDPR compliance. The US government implies that these companies also want to commit themselves to the DPF. Thus, US companies with an existing Privacy Shield certification are now listed as DPF certified.

The list is available online at dataprivacyframework.gov, and European companies may rely on it when assessing the permissibility of a data transfer to the US.

Like under the Privacy Shield, a list with all organizations that have self-certified under the DPF will be available online. The US government publishes, and regularly updates, information on the validity of the DPF certificates under dataprivacyframework.gov.

EU businesses may only rely on the DPF for their data transfers, once and as long as a US company appears on the list! Data exporters should, therefore, check on an annual basis whether the transferee of personal data in the US duly re-certified.

What European Companies Should Bear in Mind

Even if a US company has self-certified and qualified for the DPF, GDPR requirements with respect to signing DPAs will remain applicable. The DPF solely facilitates the transfer of data to the US but the obligation to sign a controller-processor DPA (Art. 28 of the GDPR) or a joint controller agreement (Art. 26 of the GDPR) remain entirely unaffected. The same applies to all other GDPR obligations, including providing information on data transfers to data subjects (Art. 13, 14 of the GDPR).

If a data importer in the US appears on the DPF list hosted by the Department of Commerce, European companies should review their documentation and, in particular, update all privacy policies with respect to the applicable data transfer mechanism.

Companies should also close monitor news channels operated by their US business partners which may provide updated versions of DPAs or other useful information EU businesses should (or even have to) keep for documentation purposes.

Although risks associated with data transfers to the US always played a significant role for EU data protection authorities and courts when criticizing certain data processing tools like Google Analytics, they were not the only concern. Shortcomings with respect to transparency or data minimization principles will still constitute important concerns which cannot be overcome by self-certifying under the DPF. EU controllers should still carefully evaluate each and every data processing activity for GDPR compliance!

Individuals‘ Rights Under the DPF

The DPF includes a number of redress mechanisms to protect individuals‘ rights and ensure that personal data transferred from the EU to the US is adequately protected. These mechanisms are designed to provide individuals with effective administrative and judicial redress in case of non-compliance by EU-US DPF organizations. US organizations must provide for effective and readily available independent recourse mechanisms by which each individual’s complaints and disputes can be investigated and expeditiously resolved at no cost to the individual.

The independent recourse mechanism will investigate complaints and make a decision providing an effective remedy if necessary. The decision of the independent recourse mechanism is binding on the organization.

If an individual is not satisfied with the decision of the independent recourse mechanism, they may also have the right to seek judicial redress. The DPF provides a number of avenues in the US for EU data subjects to bring legal action before an independent and impartial tribunal with binding powers. These avenues allow individuals to have access to their personal data, to have the lawfulness of government access to their data reviewed, and to have any violations remedied, including through the rectification or erasure of their personal data.

Review of the DPF and Preparation for a Potential Invalidation

Rigorous data protection non-profit organizations have already announced to fight the DPF. It may be that the ECJ will assess the validity of the DPF in the upcoming years. In addition, the Commission will perform reviews of the DPF to verify whether all relevant elements have been fully implemented and are functioning effectively in practice. The Commission will meet with various US government departments and agencies involved in the implementation of the DPF to perform these reviews. The participation in this meeting will be open to representatives of the members of the European Data Protection Board.

Though the DPF offers confidence to EU individuals that their data will be protected and that they will have legal remedies to address concerns related to their data, companies may want to prepare for a potential invalidation of the DPF by the ECJ or repealing Commission decision. A proper approach would be to include the EU Standard Contractual Clauses as a fallback option. This was a common practice under the Privacy Shield and helped businesses to continue data transfers when the ECJ nullified the Privacy Shield in 2020.