After the Court of Justice of the European Union (CJEU) invalidated the Safe Harbour in 2015 (it had been in force since 2000) and the Privacy Shield (effective since 2016) in 2020, each time following complaints from NOYB, the need for a new framework for safe and secure data transfers from the EU to the US arose. The decisions invalidating the previous frameworks highlighted the limitations to the protection of personal data arising from US domestic law, particularly concerning access and use by US public authorities for national security purposes.
After several years of negotiations, the European Commission now concluded that the US does provide an adequate level of protection of personal data equivalent to that of the EU. This decision, establishing the DPF, allows for the free flow of personal data from the EU to US companies participating in the DPF, without the need for additional safeguards. The new adequacy decision addresses, or at least tries to address, the concerns raised by the CJEU and introduces binding safeguards to ensure the necessary protection of EU personal data from unwanted access by US authorities.
2. The Overview of Rules
2.1. Key Safeguards
To address the CJEU's concerns and provide stronger privacy protections, the DPF incorporates several key safeguards:
- Limiting Access to EU Data: The DPF restricts access to EU data by US intelligence services to what is necessary and proportionate.
- Data Protection Review Court (DPRC): The framework establishes the DPRC, an independent and impartial redress mechanism accessible to EU individuals.
- Enhanced Rights for EU Individuals: The DPF grants EU individuals several new rights, comparable to those present under the GDPR, including the right to access, correct, or delete their data if it is handled incorrectly or unlawfully by US companies.
- Implementation of Privacy Principles: The framework incorporates several obligatory principles (the Principles) similar to the basic principles under the GDPR, such as purpose limitation, data minimization, security, data accuracy, transparency, and restrictions on onward transfers.
The principles included in the DPF are subdivided in Main Principles and Supplementary Principles, together referred to as the “Principles”. These Principles only differ slightly from those that were previously present in the invalidated Privacy Shield. Most Principles, such as Notice, Choice, Accountability for onward transfers, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability remain, but some of the Sub-Principles, such as the Self-Certification, have been altered as to require companies to provide more in-depth information.
If a company wishes to withdraw from the DPF, it is obliged to inform the Department of Commerce (DoC) of this intent in advance, along with what the company intends to do with the personal data that it received under the DPF (i.e., retain, return, delete). In case of retention, such company must either annually confirm its continued application of the Principles to that data or provide “adequate” protection by another authorized means.
2.3. Self-certification mechanism
The DPF follows the example of its predecessors, the Safe Harbour and the Privacy Shield, by retaining a system of self-certification. This means that companies can receive EU personal data in the US, provided that they publicly certify and communicate their compliance with a set of predetermined Principles.
Self-Certification requires companies to submit information on their intended processing of EU personal data to the DoC through a newly established website, including a submission stating that the company adheres to the “EU-US Data Privacy Framework Principles”, set out in the DPF. The DoC will then include the company on a “DPF List” that will be publicly available online. The protection provided by the DPF will apply as of the inclusion on said list.
As to companies who were self-certified under the previous transfer mechanism, i.e., the Privacy Shield, the DPF obliges them to update their privacy policies to refer to the Principles within three months (i.e., by 10/10/2023) as to ensure the DPF is applicable to them.
In any case, companies are required to re-certify annually as to remain covered by the DPF. In case re-certification does not occur, the DoC will remove such companies from the DPF List and include them on a public a record of organisations that have been removed from the list, in each case identifying the reason for such removal.
2.4. Relationship with Other Transfer Mechanisms
The safeguards established under the DPF also facilitate reliance on other transfer mechanisms, such as standard contractual clauses (SCC’s) and binding corporate rules (BCR’s). Companies currently making use of SCC’s or BCR’s could to some extent rely on the safeguards provided by the DPF when conducting their Data Transfer Impact Assessments (DTIA’s). This broader application facilitates transatlantic data flows and provides consistent privacy protections regardless of the transfer method used.
3. Criticism and Potential Legal Proceedings
NOYB has already expressed its concerns regarding the DPF. They argue that the framework is practically the same as the previously invalidated Privacy Shield and Safe Harbour agreements. Accordingly, the NOYB highlights specific issues, inter alia:
- Bulk Surveillance and Proportionality: US bulk surveillance would still not satisfy the principle of proportionality as defined by the CJEU, despite the signature of the US Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities', on 7 October 2022 by President Biden. This Executive order introduced new binding safeguards to address the points raised by CJEU in Schrems II in July 2020, such as the limitation of access by US intelligence agencies only to what is necessary and proportionate.
- Redress Mechanism: NOYB criticizes the redress mechanism of the DPRC established within the DPF, stating that the new provisions fall short of complying with Article 47 of the EU Charter, providing for the “Right to an effective remedy and to a fair trial”. The renamed mechanism would lack direct interaction between individuals and th newly established redress bodies, potentially hindering effective redress.
- Non-US Persons' Privacy Protections: The US refusal to reform FISA 702, being a key provision of the FISA Amendments Act of 2008 that permits the government to conduct targeted surveillance of foreign persons located outside the US, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information, remains a concern.
4. Review & Enforcement
The adequacy decision took effect immediately upon its adoption on July 10th. The European Commission will continuously monitor developments in the US and conduct periodic reviews. The first review will occur within one year, in July 2024. Based on the outcome of this review, the Commission will determine the frequency of future reviews, which should take place at least every four years. Note that adequacy decisions can be adapted or even withdrawn if there are significant developments affecting the level of data protection in the third country.
The US DoC will, as already pointed out above, administer the framework, process certification applications and monitor ongoing compliance. The effective enforcement of compliance by US companies however, falls under the responsibility of the US Federal Trade Commission (FTC), who will enforce the DPF through ex-officio investigations as well as complaint-handling.
The EU-US Data Privacy Framework can be seen as a next step in facilitating secure data transfers between the EU and the US. The framework introduces binding safeguards and mechanisms to address concerns raised by the CJEU in its earlier case law.
However, criticism and potential legal challenges from organizations like NOYB highlight the ongoing debate surrounding the effectiveness and alignment of the DPF with EU data protection standards. Continuous monitoring and periodic reviews will be crucial to ensure the framework's adequacy remains intact, providing a secure foundation for transatlantic data flows. Until any potential invalidation, which will most likely not happen in the first couple of years (unless the DPF would not even survive its first annual review by the European Commission), companies can nonetheless rely on the DPF to lawfully transfer personal data to adhered companies in the US, without needing to perform DTIA’s or to rely on other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.