The report concludes that the U.S. authorities have established all the constitutive structures and procedures to ensure an effective functioning of the DPF. However, it is too early to determine how well the DPF is functioning in practice. The next periodic review will be carried out in three years, after consultation with the European Data Protection Board (EDPB) on the periodicity of future reviews.
The key findings of the report include:
Certification
To receive personal data from the EU on the basis of DPF, U.S. companies must certify with the U.S. Department of Commerce (DoC) that they adhere to the DPF data protection requirements and are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transport (DoT). The report indicates that over 2800 companies are DPF-certified, 47% of which are in the ICT sector.
The report details the verification process by the DoC and points out that at the time of review, 33 applications had been rejected. Feedback received from companies and organisations indicates that DPF-certified companies have taken steps to ensure compliance with the DPF, including internal compliance programs, mechanisms for individuals to exercise their rights, privacy impact assessments, and reviews of existing contracts.
Compliance monitoring and enforcement
The DoC is responsible for monitoring DPF compliance, mainly through ad-hoc web searches and (social) media checks. It also plans to deploy an automated checking system in the near future. At time of review, the DoC detected no issues of compliance, has not referred any companies for possible enforcement action, nor did it receive any referrals from other authorities or complaints from individuals.
Complaint handling
The DPF allows EU individuals to request recourse for cases of non-compliance by certified organisations, by approaching the company itself; using independent recourse mechanisms (IRMs); or commencing binding arbitration before the EU-U.S. DPF Panel. The report shows that DPF-certified companies and trade associations have reported very few, if any, complaints, and the arbitration mechanism has not yet been triggered by any individual.
The report provides helpful insights into the functioning of IRMs. DPF-certified companies that process human resource (HR) data from the EU are required to select an EU data protection authority (DPA) as the IRM for the HR data. For other types of personal data transferred under the DPF, companies are free to select other options, for instance, BBB National Programs, JAMS, TRUSTe or VeraSafe – all described in the report. However, companies may also voluntarily choose the EU DPAs as their IRM. The report identifies that over the half of DPF-certified companies have chosen EU DPAs at their IRM for all data transferred in reliance on the DPF.
Since the Adequacy Decision, the European Data Protection Board (EDPB) has established rules for an "Informal Panel of EU DPAs" to provide binding advice to U.S. organisations on unresolved DPF complaints about personal data transferred from the EU. The panel consists of a lead DPA and other co-reviewer DPAs. It is required to provide advice within 60 days of receiving a complaint. The EDPB has also created a complaint form and FAQs for both European individuals and businesses regarding the DPF. At the time of the review, the panel had not received any complaints.
Guidance and awareness
The DoC has carried out various activities to raise awareness about the DPF, including publishing guidance and FAQs for both individuals and businesses. The report indicates that more work is required to raise awareness as individuals may not be aware of their rights under the DPF. In addition, further guidance for organisations will be provided by the U.S. and EU authorities to clarify, i.a., the notion of HR data under the DPF and specific obligations for HR data processing, requirements for onward transfers and sector-specific approaches to applying the new framework (e.g., for health research and financial services).
U.S. Legal System Developments
The report clarifies that since the adoption of the adequacy decision, the U.S. has seen significant developments in its privacy legal framework, including legislative, regulatory, and case law changes. The report notes that these changes indicate a growing alignment between the EU and U.S. approaches to privacy challenges, using similar legal concepts.
The report addresses the Executive Order (EO) 14117 (February 28, 2024), prohibiting or limiting transactions involving sensitive personal data (e.g., health data, biometric identifiers) with entities in certain "countries of concern", and EO 14110 (October 30, 2023), focusing on safe, secure, and trustworthy artificial intelligence, requiring federal agencies to develop AI-related safety standards and guidelines, including privacy-preserving techniques. As of July 2024, 20 U.S. States have enacted comprehensive privacy laws, with eight states (California, Colorado, Oregon, Virginia, Connecticut, Utah, Texas, and Florida) having these laws in effect. 17 U.S. States have adopted laws addressing automated processing, generally allowing opt-outs for decision-making based on profiling. The report also highlights the U.S. Supreme Court judgment in Loper Bright Enterprises v. Raimondo (June 28, 2024), which has overruled previous case law on the Chevron doctrine. This doctrine allowed courts to defer to a regulatory agency's reasonable interpretation of ambiguous laws. Civil law society representatives and NGOs have expressed concerns about the potential impact of this judgment on the FTC rulemaking authority in privacy matters. However, they suggested that the ruling may have little to no effect on the FTC’s enforcement powers. The FTC stated that it’s too early to determine the exact implications of the judgment but noted that its rulemaking authority under the FTC Act is different from other agencies and less affected by the Chevron doctrine, suggesting that the ruling may have limited impact in this area.
A detailed section of the report is dedicated to the analysis of the U.S. legal framework. The report addresses, among others, the EO 14086, which introduced limitations and safeguards that supplement Section 702 of the Foreign Intelligence Surveillance Act (FISA) and EO 12333. The safeguards provided for in EO 14086 apply to all U.S. intelligence agencies and protect the data of non-U.S. persons. The Commission welcomes in its report various steps taken by U.S. authorities to implement EO 14086.The report also touched upon the issues of reauthorisation of and pending changes to Section 702 FISA, allowing targeting of non-U.S. persons outside the U.S. to acquire foreign intelligence information based on annual certifications approved by the Foreign Intelligence Surveillance Court (FISC).
The report is available here.
