EU-U.S. Data Privacy Framework Was Adopted by the European Commission

On July 11, the European Commission adopted its adequacy decision for the long-awaited EU-U.S. Data Privacy Framework (DPF) which enables in particular multinational companies[1] that are in need of move data on their customers across borders to transfer data from Europe to US in compliance with the comparable data protection regulations with those of the EU. Twenty-four EU member states — representing a population of more than 424 million — voted 7 July in favor of the DPF while three unnamed member states abstained[2] upon the completion of commitments under Biden’s executive order.[3].

Why is such an agreement needed?

Under GDPR, adequacy decisions of the European Commission is needed for free data flow from the EU (and Norway, Liechtensein and Iceland) to a third country without further obstacles. According to Article 45(3) of the GDPR, the ‘Commission’ is to decide whether a non-EU country ensures ‘an adequate level of protection' - a level of protection for personal data that is essentially equivalent to the level of protection within the EU. Therefore, through the adoption of DPF by the Comission, the data will be moved to certified US companies without further inquiries.

Background

The DPF does not constitute the first attempt to regulate the data flow from EU to the US. However, prior regulation called ‘Privacy Shield Agreement’ deemed illegal by the European Court of Justice (ECJ) in the verdict ‘Schrems II’ of July 2020on the grounds that “it is not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law”. The Court merely found that lack of necessity and proportionality limits on U.S. Surveillance programs and insufficient redress rights to challenge unlawful governments surveillance.[4]

In the wake of the aforementioned developments, the parties were set for a new framework that takes note of the ECJ’s criticisms. In March 2022, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new transatlantic data flows framework[5]. After the negotiations, President Biden signed an executive order on “Enhancing Safeguards for United States Signals Intelligence Activites”[6] which was complemented by regulations issued by US Attorney General Garland and which adresses the concerns raised by the ECJ in its Schrems II.

In the light of European jurisprudence, the Executive Order ensured binding safeguards limiting access to data by US Intelligence authorities to what is ‘necessary and proportionate’ to protect national security. An enhanced oversight of the US Intelligence Service to enable the security explained was provided and an independant and impartial redress mechanism encountering a new Data protection Review Court entitled to investegate and resolve complaints with respect to US national security authorities access to data was established.[7]

What does the DPF bring about?

The EU-U.S. DPF strives to introduce new binding safeguards to adress all the concerns raised by the ECJ by also taking into account the several points of improvement mentioned by the European Data Protection Board. The new frameworks contains significant improvements compared to Privacy Shield such as limited access to EU data by US intelligence services as well as public authorities to what is necessary and proportionate to protect national security and a Data Protection Review Court with the power of adopting binding remedial measures to investigate EU individuals’ complaints. Moreover, the deletion of data is possible if the data collection found in violation of the new safeguards.[8]

Redress avenues are too provided for EU individuals in case their data is not appropriately handled by the US companies. The latter consists of free of charge independant dispute resolution mechanisms and an arbitration panel.[9]

What do the officials say?

President Biden, in a statement released by White House evaluated the new framework as an improvement for new economic opportunities[10] while the European Commission President Ursula von der Leyen confirmed that it will ensure data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. The U.S. unprecendented commitments were also appreciated. The commissioner Reynders who took part in negotiations is also of the opinion that the Comission finaly achieved the right balance between collective security and individual rights.

Despite all the praises, the framework is also subject to critiques from privacy advocay organizations that has already legally challenged the Privacy Shield and its predeccosr the Safe Harbour Framework as it represents “a large copy” of the earlier versions.[11]

What might be the potential infringements under GDPR?[12]

According to the Austrian activist Max Schrems who gave rise the Schrems II decision ,thus the invalidation of the predecessor of DPF; the newest version of the adequacy decision is to be back at the Court by the beginning of the next year.[13]

The mere concerns towards the new regulation can be enumarated as the work method and independance of redress mechanism – as it is under the U.S.executive branch-, the interpretation of the terms ‘necessity and proportionality’ for national security purposes by U.S.authorities and compliance of this with EU jurisprudence.[14]

What is next for the implementation of the DPF?

According to Commission reports, the functioning of the DPF will be subject to periodic reviews to be carried out by itself accompanied by European data protection authorities and competen U.S.authorities. First review will have been made as of the end of the frameworks’ entry into force.[15]

The adequacy decision prescribes that the only certified undertakings are to move data without further requirements and that these undertakings are required to re-certify their adherence to the the Principles on an annual basis. Principles includes obligations reflecting GDPR’s view: for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. Those that are found to persistently fail to comply with the principles will be removed from the DPF list and be obliged to return or delete personal data received under the said regulation.[16]

The European Data Protection Board declared to be developing "an information note for stakeholders on the implications of the DPF" in the coming weeks[17].

Moreover, The U.S. International Trade Administrratrion launched a Data Privacy Framework website[18] that includes information on self-ceritifcation, participating organizations, enforcement and more.