Are Data Transfers to the United States Safe Again?
12 Things to Know About the New EU-U.S. Data Privacy Framework
On July 10, 2023, the European Commission published its adequacy decision regarding the EU-U.S. Data Privacy Framework (EU-US DPF). According to that decision, US companies participating in the EU-US DPF ensure an adequate level of data protection under the EU General Data Protection Regulation (GDPR), so that personal data may be disclosed to participating US companies without entering into the the EU Standard Contractual Clauses (SCC) and without need for a transfer impact assessment.
Here is what companies need to know now about the EU Commission’s adequacy decision and its impact on Switzerland:
1. What did the European Commission decide on July 10, 2023?
In its adequacy decision of July 10, 2023, the European Commission decided that the EU-U.S. DPF provides for an adequate level of data protection when private companies or public authorities in the EU and the EEA disclose personal data to U.S. companies that participate in the EU-U.S. DPF. This will contribute significantly to facilitating the disclosure of personal data from the EU and the EEA to data importers in the United States, provided that they participate in the EU-U.S. DPF.
The approval of the EU-U.S. DPF marks the third attempt of EU and U.S. authorities to facilitate transatlantic disclosure of personal data, after the Court of Justice of the European Union (CJEU) struck down first the EU-U.S. Safe Harbor Framework, and then the EU-U.S. Privacy Shield (the so-called «Schrems II» decision, cf. our Bulletin of July 16, 2020)
Under the EU-U.S. DPF, certain U.S. companies may self-certify that they adhere to a defined set of privacy principles issued by the U.S. Department of Commerce, with the aim of committing to an adequate level of data protection in relation to their processing of personal data received from data exporters in the EU and the EEA. In addition, the EU-U.S. DPF relies on the terms of the U.S. Executive Order 14086 executed by President Biden on October 7, 2022 (EO 14086). This EO 14086 establishes certain safeguards for U.S. signals intelligence activities, aiming to align these with fundamental principles of European law, including proportionality, oversight, and effective redress for affected data subjects. In order to benefit from that redress mechanism, a complaint must be submitted through a qualifying state. To date, the U.S. Attorney General has designated the EU and EEA member states as such qualifying states, but not yet Switzerland.
2. What are the consequences of this decision for data exports to the United States?
As the EU Commission considers that the protection under the privacy principles of the EU-U.S. DPF is adequate, data exporters may transfer personal data under the GDPR from the EU and the EEA to U.S. companies certified under the EU-U.S. DPF without further safeguards and without having to conduct a transfer impact assessment.
Companies should however carefully consider whether to fully migrate their disclosures of personal data to the United States to the EU-U.S. DPF: Even where companies continue to rely on EU SCC, the adequacy decision will simplify the transfer impact assessment in practice (see section 3 below) and there may be valid reasons to continue to rely on the EU SCC or binding corporate rules. Thus, a case-by-case decision is required. In this respect it is to be considered that the EU-U.S. DPF will in all likelihood be challenged in court, as its predecessors (see section 1 above). Should the CJEU decide to invalidate even the third attempt to build a framework for transatlantic data disclosures, companies relying exclusively on the EU-U.S. DPF may be left unprotected.
3. Can Swiss companies benefit from the EU-U.S. DPF?
To date, Swiss companies only benefit to a limited extent from the EU-U.S. DPF:
- The EU-U.S. DPF and the EU adequacy decision do not cover data exporters in Switzerland that disclose personal data to self-certified companies in the United States. The EU adequacy decision only applies to data exporters in the EU and the EEA that disclose personal data to organization in the United States.
- The new Swiss DPA requires an adequacy decision from the Swiss Federal Council, published in an annex to the new Data Protection Ordinance. Until the Federal Council adds the United States to this list, the United States continues to be viewed as country without adequate protection under the DPA. Thus, data exporters in Switzerland who wish to lawfully disclose personal data to recipients in the United States will still need to either rely on statutory exemptions, or implement alternative safeguards to ensure an adequate level of data protection, e.g., by way of the EU SCC, which require a transfer impact assessment to be conducted (cf. our Bulletin of August 30, 2021).
- For Swiss companies, however, performing the transfer impact assessment for disclosing personal data to recipients in the United States based on the EU SCC has become easier with the adoption of the EU Commission’s adequacy decision: The limitations on signals intelligence provided by EO 14086 (e.g., that signals intelligence activities must be proportionate to validated intelligence priorities) are not limited to data disclosed by data exporters in the EU and the EEA, so that also data disclosed by Swiss data exporters benefits from the limitations provided by EO 14086. Hence, U.S. authorities would have to adhere to the relevant safeguards, even in respect of Swiss personal data. With the EU commission having in principle acknowledged the adequacy of these safeguards, there is no reason why that should be viewed differently from a Swiss perspective. Thus, for the purpose of performing a transfer impact assessment, Swiss companies may argue that U.S. signals intelligence activities are reasonably limited in a manner also acceptable from the perspective of Swiss law.
- For the time being, however, Swiss data subjects are excluded from the redress mechanism provided for by EO 14086: This mechanism only applies to complaints logged in a qualifying state, the list of which states does not yet include Switzerland. This will have to be considered as a risk factor in performing the transfer impact assessment until Switzerland is acknowledged as a qualifying state by the U.S. Attorney General.
- To that end, the Swiss Federal Data Protection and Information Commissioner (FDPIC) has already confirmed that Switzerland is engaged in discussions regarding a «Swiss-U.S. Data Privacy Framework» and that the discussions about such framework are well advanced. Until the adoption of a «Swiss-U.S. Data Privacy Framework», however, the list of countries with adequate protection will stay the same. Thus, Swiss companies must remain patient for the time being until the Federal Council decides to add the United States to the list of countries with adequate protection.
4. What do Swiss companies need to consider until a Swiss-U.S. Data Privacy Framework is adopted?
For the time being, Swiss companies must continue to regard the United States as country without adequate data protection laws. Thus, disclosure of personal data to the United States continues to be permissible only if either an adequate level of data protection is guaranteed through appropriate contractual safeguards, or an exception provided for by the DPA applies. However, conducting the transfer impact assessment becomes easier with respect to the assessment of local surveillance legislation (see section 3 above). If a U.S. company is certified under the EU-U.S. DPF, this can be considered as an additional layer of protection.
When delegating processing activities to data processors in the United States, Swiss companies may consider doing so through a data processor in the EU or the EEA. Data transfers from Switzerland to data processors in the EU and the EEA are permitted without additional safeguards. The onward-transfer from the EU or EEA processor to the U.S. sub-processor may benefit from the EU Commission’s adequacy decision if the sub-processor in the United States is certified under the EU-U.S. DPF. In practice, it is already common for service providers in the United States to conduct their business with European customers through affiliates in the EU or the EEA.
5. When will the EU-U.S. DPF enter in force?
The EU-U.S. DPF is in force now – the adequacy decision relating to the EU-U.S. DPF entered into force immediately with its adoption on July 10, 2023.
6. What is new?
The EU-U.S. DPF provides for limitations and safeguards applicable to personal data transferred to the United States from a data exporter in the EU and the EEA under the GDPR:
- Several rights for data subjects, e.g., to obtain access to their data, to obtain correction or deletion of incorrect or unlawfully handled data.
- A set of redress avenues in case personal data is processed against the EU-U.S. DPF principles, including a free of charge independent dispute resolution mechanism and an arbitration panel.
- The U.S. Department of Commerce will process applications for certification, and monitor whether participating companies continue to meet certification requirements.
- Compliance by U.S. companies will be enforced by the U.S. Federal Trade Commission.
The EO 14086 provides for limitations and safeguards with respect to U.S. intelligence agencies:
- Binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security.
- Enhanced oversight of activities by U.S. intelligence services to ensure compliance with limitations on surveillance activities.
- Establishment of an independent and impartial redress mechanism, including a new Data Protection Review Court to investigate and resolve complaints.
7. What if U.S. law changes?
The EU Commission has announced that it will continuously monitor the relevant U.S. decisions, and regularly review the adequacy decision to verify that all relevant elements of the new framework are working effectively in practice. The first review is scheduled to take place after one year, i.e., in July 2024.
In the event of developments affecting the level of protection under the EU-U.S. DPF, the adequacy decision may be adjusted or even withdrawn.
8. Which U.S. companies may participate in the EU-U.S. DPF?
To be eligible for certification under the EU-U.S. DPF, a U.S. company must be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, the U.S. Department of Transportation, or another statutory body that will effectively ensure compliance with the principles (cf. section 2.1.1 and Annex I, section I. 2. of the European Commission’s adequacy decision). Thus, there may be certain exceptions regarding which U.S. companies may participate in the EU-U.S. DPF.
9. How can data exporters check whether the envisaged data importer is duly certified under the EU-U.S. DPF?
The U.S. Department of Commerce will maintain and publish a list of U.S. companies that have self-certified to the U.S. Department of Commerce and declared their commitment to adhere to the principles of the EU-U.S. DPF (the Data Privacy Framework List). Only companies on the Data Privacy Framework List may benefit from the EU Commission’s adequacy decision. Thanks to the list, however, data exporters do not have to check themselves whether a U.S. company is eligible to participate in the EU-U.S. DPF.
The U.S. Department of Commerce will remove companies from the Data Privacy Framework List that voluntarily withdraw from the EU-U.S. DPF, fail to complete their annual re-certification, or persistently fail to comply with the principles.
10. What are the consequences of a removal from the Data Privacy Framework List?
If a company is removed from the Data Privacy Framework List, it may no longer benefit from the EU Commission’s adequacy decision regarding the EU-U.S. DPF. Thus, European data exporters may no longer transfer personal data to these U.S. companies without additional safeguards guaranteeing adequate protection under the GDPR. As the Data Privacy Framework List is an authoritative list, it can be assumed that European data exporters can generally rely on it and argue that all previous data exports to the U.S. company before its removal were made lawfully under the adequacy decision.
The further consequences regarding the personal data already received under the EU-U.S. DPF, depend on the reason for the removal of the U.S. company from the Data Privacy Framework List:
- U.S. companies that voluntarily withdraw from the EU-U.S. DPF, or that fail to complete their annual re-certification may choose to either (i) continue to apply the principles of the EU-U.S. DPF to the personal data they received under the EU-U.S. DPF and affirm to the U.S. Department of Commerce their commitment to do so on an annual basis, for as long as they retain such data, (ii) provide adequate protection for the data by other means, e.g., by using the EU SCC, or (iii) return or delete the data.
- Companies that were removed from the Data Privacy Framework List due to their persistent failure to comply with the principles of the EU-U.S. DPF must return or delete the personal data they received under the EU-U.S. DPF.
11. What should data exporters consider when transferring personal data to U.S. companies participating in the EU-U.S. DPF?
Data exporters should include the following in the data transfer agreement with the U.S. data importer, in addition to any other terms governing the relevant data transfer in the specific circumstances:
- Obligation to comply with the principles of the EU-U.S. DPF;
- Obligation to remain duly certified under the EU-U.S. DPF;
- Obligation to notify data exporter immediately of a removal of the Data Privacy Framework List and the reason for such removal;
- Mechanism to tackle the consequences of a removal from the Data Privacy Framework List.
12. Is the EU-U.S. DPF here to stay?
NOYB, the non-profit organization launched by Max Schrems, announced that it is prepared to challenge the EU Commission’s adequacy decision with the CJEU. NOYB criticizes, alleging, in particular, that the fundamental problems with respect to mass surveillance by U.S. intelligence under FISA 702 were not solved, and that the EU-U.S. DPF is «largely a copy of the failed ‘Privacy Shield’».
Thus, time will tell whether the EU-U.S. DPF will withstand the review by the CJEU that will inevitably follow.
Dieses Bulletin gibt allgemeine Ansichten der Autorinnen und Autoren zum Zeitpunkt dieses Bulletins wieder, ohne dabei konkrete Fakten oder Umstände zu berücksichtigen. Es stellt keine Rechtsberatung dar. Jede Haftung für die Genauigkeit, Richtigkeit, Vollständigkeit oder Angemessenheit der Inhalte dieses Bulletins ist ausdrücklich ausgeschlossen.