Wash, Rinse, Repeat: EU Approves Third Privacy Framework for Personal Data Transfers

After years of uncertainty, the European Commission has paved the way for US companies to transfer personal data from the European Union to the United States, adopting an adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”).¹ The DPF marks the third attempt by the United States and the European Union to establish protocols for the transfer, use, and security of data across the Atlantic. On July 17, 2023, with the DPF now approved, the United States Department of Commerce launched the program for US companies to self-certify their compliance.² Companies opting in to the program must certify that their data practices meet DPF requirements. Once a company self-certifies, it can transfer personal data to the US in compliance with European data privacy law. But companies should be alert: As with the adoption of past protocols, litigation is likely to follow.

History of EU-US Data Transfers

The General Data Protection Regulation (“GDPR”), the European law governing the capture, storage, and use of personal data, generally prohibits the transfer of personal data of EU residents to a country, including the US, that is deemed not to provide an adequate level of protection. Without an “adequacy decision,” companies need to use a different transfer mechanism to comply with the GDPR, such as standard contractual clauses or binding corporate rules.

The GDPR authorizes the European Commission (the “Commission”), a hybrid legislative and executive body, to determine whether a non-EU country provides “an adequate level of protection” for personal data. The law defines ‘adequate’ as being ‘essentially equivalent to the protection offered by the laws of the EU.’ Once the Commission makes an “adequacy decision” about a non-EU country, organizations from that country can begin transferring data out of the EU.³

In 2000, the Commission first approved a mechanism known as the EU-US Safe Harbor Framework for companies to certify that they complied with EU data privacy principles. In a 2015 decision that came to be known as Schrems I, the European Court of Justice (“CJEU”) declared the framework invalid because it did not adequately protect European personal data from intrusion by United States government officials pursuing national security and law enforcement interests.⁴

The Commission and the US tried a second time, negotiating a new agreement, finalized in 2016, known as the EU-US Privacy Shield. The Commission, through an adequacy decision, adopted the framework, and over 5,000 United States companies certified their compliance to begin transferring data. In a case known as Schrems II, the CJEU in 2020 again struck down the agreement, finding that the Privacy Shield did not provide EU “data subjects”—the people whom the data concerns—an opportunity to redress data misuse by US government officials as required by EU law.⁵

In March 2022, President Biden and EU President von der Leyen announced the DPF—the third attempt to enact a framework for EU-US data transfers. The DPF includes a set of principles governing how organizations transferring data from the EU to the US must interact with that data and the data subjects. Principles include notice requirements, an opportunity for individuals to opt out of certain uses for their data, and privacy protections. The DPF provides EU citizens whose data has been transferred by a participating organization the ability to access their data, obtain corrections or deletions of incorrect or unlawful data, and redress wrongly handled data.

In October 2022, President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities,” which required the Director of National Intelligence and the Attorney General to establish mechanisms for reviewing and responding to complaints from individuals in EU countries about the handling of personal data by US government officials. The order aimed to address the CJEU’s prior findings and establish procedures for the Civil Liberties Protection Officer of the Office of the Director of National Intelligence to review and respond to complaints about data privacy violations by US government officials with a second level of review by the newly created Data Protection Review Court.⁶

On July 10, 2023, the Commission adopted its adequacy decision finalizing the DPF and allowing personal data to begin flowing freely from the EU, Norway, Iceland, and Lichtenstein to the United States. Despite the Biden Administration’s adjustments, the same privacy activist who previously challenged the sufficiency of prior transatlantic privacy frameworks in the CJEU has signaled that he will do so again.⁷

Impact on US Companies

Companies wishing to transfer data under the new regulatory structure must self-certify that they are in compliance with the DPF. The DPF obligates data importers to adhere to a set of data privacy principles, including:

• providing transparent notice of their data processing;
• providing an opportunity for data subjects to opt out of personal information being disclosed to third parties or used for a purpose different from that which the data was originally collected;
• accepting responsibility for “onward transfers” or transfers of personal data collected by the data importer to another party;
• ensuring data security;
• processing only relevant data; and
• granting data subjects the ability to access their data.

Companies self-certify through the Department of Commerce’s new website, www.dataprivacyframework.gov. To self-certify, companies must:

• attest that they will comply with the DPF’s principles;
• publish a privacy policy that complies with the DPF’s principles;
• provide an independent recourse mechanism to investigate complaints about the company’s noncompliance with the DPF;
• for most commercial data, companies may choose to contract with private-sector independent arbitrators to provide dispute resolution over conflicts concerning personal data or a European data protection authority;
• for human resources data, the recourse must include a commitment to comply with European data protection authorities; and
• agree to subject the company to the investigatory and enforcement powers of the US Federal Trade Commission (“FTC”) or the US Department of Transportation (“DOT”).

Companies that self-certify are published on a publicly available registry maintained by the Department of Commerce.⁸ The Department of Commerce will also publish a list of companies that have been removed from the DPF registry, and companies failing to meet their commitment under the DPF may face enforcement from the FTC for “unfair” or “deceptive” practices in violation of the FTC Act. To that end, companies that have already established standard contractual clauses for transferring data prior to the finalization of the DPF may wish to keep them in place.

Conclusion

The DPF provides companies an important new mechanism to transfer personal data from the EU to the US. But any company planning on self-certifying its compliance with the DPF should ensure that its data privacy policies and procedures comply with the framework’s principles to avoid investigation and potential liability. Companies planning on self-certifying, at minimum, should:

• determine whether the company is under the jurisdiction of the FTC or DOT;
• determine exactly what data will be collected and imported to the United States and for what purposes;
• ensure that the company’s privacy policy complies with DPF principles and is available to data subjects;
• ensure that notices provided to data subjects accurately describe the company’s data collection and processing practices and ensure that data subjects have a means of opting out from third-party disclosure; and
• determine who at the company will serve as a point of contact for DPF compliance and establish an independent recourse mechanism.

¹European Commission Press Release, Data Protection: European Commission Adopts new adequacy decision for safe and trusted EU-US data flows (July 10, 2023), available at https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.

²Press Release, Data Privacy Framework Program Launches New Website Enabling U.S. Companies to Participate in Cross-Border Data Transfers, U.S. Department of Commerce (July 17, 2023), available at https://www.commerce.gov/news/press-releases/2023/07/data-privacy-framework-program-launches-new-website-enabling-us

³General Data Protection Regulation, art 45 § 1.

⁴Schrems v. Data Protection Commissioner, C-362/14, Judgment, ¶ 87 (Oct. 6, 2015).

⁵Data Protection Commissioner v. Facebook Ireland Limited, C-311/18, Judgment, ¶ 197 (July 16, 2020).

⁶Press Release, Redress in the Data Protection Review Court, DOJ (June 30, 2023), available at https://www.justice.gov/opcl/redress-data-protection-review-court.

⁷Joseph Duball, DPC 2022: EU-US Data Privacy Framework on track, Schrems challenge to come, IAPP (Nov. 17, 2022) https://iapp.org/news/a/at-dpc-2022-eu-us-data-privacy-framework-on-track-schrems-challenge-to-come/.

⁸Data Privacy Framework List, US Department of Commerce (last visited Aug. 7, 2023), available at https://www.dataprivacyframework.gov/s/participant-search.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Sid Mody, an O’Melveny partner licensed to practice law in Texas, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, and Joshua Goode, an O'Melveny associate licensed to practice law in the District of Columbia. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.