EU-U.S. Data Privacy Framework – the new basis for data transfers to the U.S.

What is the EU-U.S. Data Privacy Framework about?

On July 10, 2023, the EU Commission issued a new adequacy decision for the transfer of personal data to the USA under the name “EU-U.S. Data Privacy Framework” (DPF). This means that, on the basis of this adequacy decision, personal data from the EU or the EEA may (again) be transferred to the U.S. with legal certainty. However, the adequacy decision does not apply to all organisations in the US, but only to those that accept the requirements of the EU-US Privacy Framework as binding and have made a binding commitment to do so through self-certification. The EU-U.S. Data Privacy Framework can thus be thought of as a GDPR “light” to which U.S. organizations can voluntarily submit. The relevant certification principles can be viewed here. In the opinion of the EU Commission, this mechanism will then provide a level of protection that essentially corresponds to that of the EU.

History of the EU-U.S. Data Privacy Framework

Such an adequacy decision already existed for the U.S. with the Safe Harbor agreement from 2000 as well as the EU-U.S. Privacy Shield agreement from 2016. The European Court of Justice (CJEU) declared both adequacy decisions invalid in its rulings “Schrems I” from October 06, 2015 and “Schrems II” from July 16, 2020 . In both decisions, the CJEU concluded that the surveillance programs based on U.S. legislation were not limited to what was necessary. Affected individuals who are not U.S. citizens also have no judicially enforceable rights. Furthermore, the CJEU states that the ombudsperson provided for by the Privacy Shield is not independent and cannot issue binding decisions against U.S. intelligence agencies.

How does the EU-U.S. Data Privacy Framework work?

Just like its predecessors, the new EU-US Data Privacy Framework is dependent on self-certification by US organizations. This means that the U.S. companies can carry out their certification on their own without verification by an authority. This is done by filling out a form online and uploading it with a link to the organisation’s privacy information. The administration and monitoring of the certification is the responsibility of the US Department of Commerce (DoC). Certification takes place via the following DoC website: www.dataprivacyframework.gov. All certified organizations can also be viewed there.

The EU-U.S. Data Privacy Framework principles are essentially the same as those already developed for the Privacy Shield. All companies that have already certified under the Privacy Shield will thus only have to comply with the DPF principles and amend their privacy information accordingly no later than October 10, 2023. No new certification is required for these organizations and the adequacy decision applies to them immediately. Self-certification must be repeated annually by these organizations, but also by all newly certifying organizations. Organizations found to be in persistent non-compliance with the Principles will be removed from the EU-U.S. Data Privacy Framework list and will be required to delete personal data received under the EU-U.S. Data Privacy Framework.

What is really new about the EU-U.S. Data Privacy Framework?

All in all, this sounds like old wine in new bottles. So what is really “new”? The adequacy decision provides for new mandatory safeguards to address the concerns raised by the CJEU. These include restrictions designed to ensure that U.S. intelligence activities are necessary and proportionate in pursuit of specific national security objectives. Of particular note here is U.S. President Joe Biden’s assurance in Executive Order 14086 limiting access by U.S. intelligence agencies to personal data of individuals in the EU.  Executive Order 14086 states that individuals from the EU can first appeal to the Civil Liberties Protection Officer (CLPO), which is located in the Office of the Director of National Intelligence, via an EU supervisory authority and, if this is unsuccessful, in a further step the Data Protection Review Court (DPRC). If necessary, the DPRC may order the relevant intelligence agencies to take remedial action, including deletion of data, termination of processing, and a change in collection practices.

Does the new EU-U.S. Data Privacy Framework bring legal certainty?

However, it remains to be seen whether the EU-U.S. Data Privacy Framework will stand up to scrutiny by the CJEU or whether the now third adequacy decision – true to the adage “old wine in new bottles” – will fail. Max Schrems, who successfully challenged the legality of the EU-US Safe Harbour Agreement as well as the EU-US Privacy Shield before the CJEU, has already announced that he will take legal action against the new adequacy decision. The lawsuit could drag on for several years, however – according to the statement by Max Schrems and his organization (“noyb”) – the dispute could be referred to the CJEU by a national court as early as late 2023/early 2024. The CJEU would then have the option to suspend the EU-U.S. Data Privacy Framework for the duration of the proceedings. The upcoming US elections in 2024 could also put the adequacy decision to the test, as it is largely based on an executive order issued by President Biden. If the assurances contained therein are not or no longer complied with, the EU Commission would itself be forced to repeal the adequacy decision as part of its regular review.

What does the EU-U.S. Data Privacy Framework mean for EU organisations that transfer personal data to the U.S.?

First, there is a not inconsiderable likelihood that the EU-U.S. Data Privacy Framework will indeed fail for a third time. In this respect, we recommend:

1. Continue to be stringent in concluding EU standard data protection clauses with U.S. organizations.
2. Select only U.S. organizations certified under the EU-U.S. Data Privacy Framework, see list at www.dataprivacyframework.gov – then the Transfer Impact Assessment (TIA) required by the Standard Privacy Clauses can reference the EU-U.S. Data Privacy Framework and the certification of the appropriate organization.
3. Also have an eye on all subcontractors and check if they are certified as well.
4. Keep an overview! Data processing operations that involve data transfer to the U.S. should be clearly identified as such in the list of processing activities. Then you can react quickly to a change in the legal situation, e.g. if the CJEU suspends the EU-U.S. Data Privacy Framework.
5. Update your privacy information to the extent that you rely on the EU-U.S. Data Privacy Framework. Cite the U.S. organization’s certification and indicate the appropriate remedies.

In the event that U.S. organizations are not certified and do not wish to be certified, a full TIA audit and standard contractual clauses agreement including additional safeguards will still be required as the basis for data transfers. However, the threshold for certification under the EU-U.S. Data Privacy Framework is relatively low. Thus, if the EU-U.S. Data Privacy Framework option is available to U.S. organizations and not used by them, we think there is little argument why they should be allowed to process personal data from the EU. I.e., there is much to be said here in favor of the inadmissibility of such data transfers.

If you have any questions or need advice on international data transfers, please feel free to contact us. We will be happy to help you find the optimal solution for your organization.