New Era for Personal Data Transfer Between EU and USA

The

EU-US Data Privacy Framework Adequacy Decision (‘‘DPF Adequacy Decision’’) was published by the European Commission on July 10, 2023. This decision concludes that the United States provides an adequate level of protection for personal data transferred to US companies that are part of the EU-US Data Privacy Framework, as recognized by the European Union.

In this context, data transfers from the EU to organizations located in the United States listed in the 'Data Privacy Framework (DPF) List' can be carried out on the basis of the Adequacy Decision. This implies that data transfers can occur without the need for additional safeguards. Transfers to organizations in the United States that are not listed in the DPF List cannot be conducted on the basis of the Adequacy Decision, and require appropriate legal rights and data protection measures for data subjects, such as Standard Contractual Clauses (‘‘SCC’’), to be in place.

In this Memo, firstly, the significance of the adequacy decision and discuss past legal regulations will be explained. Subsequently, the content of DPF and matters concerning its enforcement and review will be addressed.

1. What Does the Adequacy Decision Mean?

In accordance with Article 45 of the General Data Protection Regulation (‘‘GDPR’’) of the European Union, when the European Commission determines that a third country, a region within that third country, or one or more sectors within it, or an international organization provides an adequate level of data protection, personal data can be transferred to that country or international organization without requiring specific consent. As a result of such adequacy decisions, personal data can be freely and securely transferred from the European Economic Area (EEA), which includes 27 EU Member States, Norway, Iceland, and Liechtenstein, to a third country without the need for any conditions or additional authorizations.

An Adequacy Decision taken under Article 45 of the GDPR is equivalent to a "Country Providing Adequate Protection Decision" taken by the Personal Data Protection Board (the "Board") in accordance with Article 9(3) of the Turkish Data Protection Law (‘‘KVKK’’).

2. Legal Frameworks in the Past

The EU-US Data Privacy Framework can be considered as the third attempt concerning trans-Atlantic data transfers, following the International Safe Harbor Privacy Principles (Safe Harbor) adopted in the year 2000 and the Privacy Shield Decision 2016/1250 (Privacy Shield).

Due to the invalidation of the International Safe Harbor Privacy Principles by the European Court of Justice (‘‘ECJ’’) with the Schrems I decision in 2015 and the invalidation of the Privacy Shield Decision 2016/1250 by the Schrems II decision in 2020, there had been no legal basis for data transfers between the European Union and the United States since the year 2021. In this context, the ECJ particularly emphasized the uncontrolled access of intelligence services to data and called for a series of measures from the United States concerning data protection.

After years of negotiations and considering various data protection legislation and measures that have been enacted in the United States, the European Commission concluded that the United States provides an equivalent level of protection for personal data to that of the European Union. This decision forming the EU-US Data Privacy Framework allows US companies participating in the Data Privacy Framework to allow the free flow of personal data without requiring additional protective measures. In other words, the Adequacy Decision aims to address concerns regarding EU-US data transfers and provides binding assurances to ensure the necessary protection of EU's personal data against unwanted access by US authorities.

3. An Overview of the Regulation

3.1. Key Safeguards

To address concerns raised by the European Court of Justice and strengthen privacy protections, the Data Privacy Framework includes the following key safeguards:

• Limiting Uncontrolled Access to EU Data: The Data Privacy Framework restricts uncontrolled access to EU data. Under DPF, US intelligence agencies can only access data to the extent that it is necessary and proportionate.

• Establishment of an Independent Compensation Mechanism: The Data Privacy Framework envisions the creation of an independent and impartial compensation mechanism, including the establishment of a Data Protection Review Court, to investigate and resolve complaints related to data access by US national security authorities.

• Enhanced Rights for EU Individuals: DPF extends new rights to EU individuals, similar to those under the GDPR, such as the right to access, rectify, or delete their data when it is processed inaccurately or unlawfully.

• Application of Privacy Principles: DPF incorporates a set of mandatory principles that resemble core GDPR principles, including purpose limitation, data minimization, security, data accuracy, transparency, and restrictions on the transfer of data to other locations.

3.2. Principles

The principles within the DPF are divided into sub-sections known as "Main Principles" and "Supplementary Principles," collectively referred to as "Principles." These Principles have minor differences from the principles found in the previously invalidated Privacy Shield. While many principles such as Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement, and Liability are retained, some Supplementary Principles, like Self-Certification, have been modified to require more detailed information.

When a company intends to withdraw from the DPF, it is obligated to notify the Department of Commerce in advance of its intent and the steps it plans to take concerning the personal data it processed under the DPF. Once data is retained, the respective company must annually certify that it has adhered to the Principles concerning these data or, alternatively, utilize an authorized mechanism to ensure "adequate" protection.

3.3. Self-Certification Mechanism

Companies participating in data transfers from the EU to the US are obligated to self-certify their compliance with the standards through the US Department of Commerce. Within this Framework, companies are required to submit information about their processing of EU personal data, including a website presentation confirming the company's adherence to the EU-US Data Privacy Framework Principles as specified in the Framework to the US Department of Commerce. Subsequently, the US Department of Commerce will include the company in the publicly accessible Data Protection Framework List once it verifies that the company meets these requirements. The protection provided by the DPF becomes effective from the moment the company is included in this list.

Furthermore, the effective implementation of compliance by US companies, along with addressing complaints and conducting investigations as needed, falls under the responsibility of the US Federal Trade Commission as part of its role in enforcing the Data Privacy Framework.

4. Effectiveness and Review

The Adequacy Decision went into effect immediately after its adoption on July 10, 2023. While the decision does not have a specific time limit, the European Commission will continuously monitor developments in the United States and conduct periodic reviews of the Adequacy Decision. The first periodic review will take place within one year of the enforcement of the EU-US Data Privacy Framework. Based on the outcome of this review, the European Commission will decide on the frequency of future reviews, which will occur at least every four years, in consultation with EU member states and data protection authorities. If there are any changes in the United States that affect the level of data protection, the Adequacy Decision can be amended or revoked accordingly.

In summary, the Adequacy Decision, in effect since July 10, 2023, establishes a framework for the transfer of personal data from the EU to the US. While it does not have a specific time limit, it will undergo regular reviews to ensure its continued effectiveness and compliance with data protection standards. If there are developments in the US that impact data protection, the Decision can be adjusted or canceled as necessary.

5. Conclusion

The EU-US Data Privacy Framework can be seen as the next step in facilitating secure data transfers between the EU and the US, following the International Safe Harbor Privacy Principles and the Privacy Shield Decision. DPF introduces binding assurances and mechanisms to address concerns previously raised by the European Court of Justice. With this decision, US companies participating in the Data Privacy Framework will be able to facilitate the free flow of personal data without requiring additional protective measures.

For the full text of the Adequacy Decision, the press release issued by the Commission, the Questions & Answers section, and the Information Note (in English), please click here.

For more information about the EU-US Data Protection Framework and Data Protection Law, you can contact Çivicik Law Firm and stay updated with our information notes by following us on LinkedIn.