On July 10th 2023, the European Commission announced the adoption of its adequacy decision for the EU-US Data Privacy Framework (DPF). This decision signifies that the US ensures a level of data protection comparable to that of the EU, allowing for the safe and secure transfer of personal data from the EU to US companies participating to the DPF. However, the adoption of the adequacy decision has not been without criticism, with non-profit organizations such as None of Your Business (NOYB), founded by Austrian lawyer and privacy activist Max Schrems, raising concerns regarding its effectiveness. This article examines the key elements of the DPF, its practicalities, and the criticisms it has (already) faced.
1. Background
After the Court of Justice of the European Union
(CJEU) invalidated the Safe Harbour in 2015 (it
had been in force since 2000) and the Privacy Shield (effective
since 2016) in 2020, each time following complaints from NOYB, the
need for a new framework for safe and secure data transfers from
the EU to the US arose. The decisions invalidating the previous
frameworks highlighted the limitations to the protection of
personal data arising from US domestic law, particularly concerning
access and use by US public authorities for national security
purposes.
After several years of negotiations, the European Commission now
concluded that the US does provide an adequate level of protection
of personal data equivalent to that of the EU. This decision,
establishing the DPF, allows for the free flow of personal data
from the EU to US companies participating in the DPF, without the
need for additional safeguards. The new adequacy decision
addresses, or at least tries to address, the concerns raised by the
CJEU and introduces binding safeguards to ensure the necessary
protection of EU personal data from unwanted access by US
authorities.
2. The Overview of Rules
2.1. Key Safeguards
To address the CJEU's concerns and provide stronger privacy protections, the DPF incorporates several key safeguards:
- Limiting Access to EU Data: The DPF restricts access to EU data
by US intelligence services to what is necessary and
proportionate.
- Data Protection Review Court (DPRC): The
framework establishes the DPRC, an independent and impartial
redress mechanism accessible to EU individuals.
- Enhanced Rights for EU Individuals: The DPF grants EU
individuals several new rights, comparable to those present under
the GDPR, including the right to access, correct, or delete their
data if it is handled incorrectly or unlawfully by US
companies.
- Implementation of Privacy Principles: The framework incorporates several obligatory principles (the Principles) similar to the basic principles under the GDPR, such as purpose limitation, data minimization, security, data accuracy, transparency, and restrictions on onward transfers.
2.2. Principles
The principles included in the DPF are subdivided in Main
Principles and Supplementary Principles, together referred to as
the "Principles". These Principles only differ slightly
from those that were previously present in the invalidated Privacy
Shield. Most Principles, such as Notice, Choice, Accountability for
onward transfers, Security, Data Integrity and Purpose Limitation,
Access and Recourse, Enforcement and Liability remain, but some of
the Sub-Principles, such as the Self-Certification, have been
altered as to require companies to provide more in-depth
information.
If a company wishes to withdraw from the DPF, it is obliged to
inform the Department of Commerce (DoC) of this
intent in advance, along with what the company intends to do with
the personal data that it received under the DPF (i.e., retain,
return, delete). In case of retention, such company must either
annually confirm its continued application of the Principles to
that data or provide "adequate" protection by another
authorized means.
2.3. Self-certification mechanism
The DPF follows the example of its predecessors, the Safe
Harbour and the Privacy Shield, by retaining a system of
self-certification. This means that companies can receive EU
personal data in the US, provided that they publicly certify and
communicate their compliance with a set of predetermined
Principles.
Self-Certification requires companies to submit information on
their intended processing of EU personal data to the DoC through a
newly established website, including a submission stating that
the company adheres to the "EU-US Data Privacy Framework
Principles", set out in the DPF. The DoC will then include the
company on a "DPF List" that will be publicly available
online. The protection provided by the DPF will apply as of the
inclusion on said list.
As to companies who were self-certified
under the previous transfer mechanism, i.e., the
Privacy Shield, the DPF obliges them to
update their privacy policies to refer to the Principles within
three months (i.e., by 10/10/2023) as to ensure the DPF is
applicable to them.
In any case, companies are required to re-certify annually as to
remain covered by the DPF. In case re-certification does not occur,
the DoC will remove such companies from the DPF List and include
them on a public a record of organisations that have been removed
from the list, in each case identifying the reason for such
removal.
2.4. Relationship with Other Transfer Mechanisms
The safeguards established under the DPF also facilitate reliance on other transfer mechanisms, such as standard contractual clauses (SCC's) and binding corporate rules (BCR's). Companies currently making use of SCC's or BCR's could to some extent rely on the safeguards provided by the DPF when conducting their Data Transfer Impact Assessments (DTIA's). This broader application facilitates transatlantic data flows and provides consistent privacy protections regardless of the transfer method used.
3. Criticism and Potential Legal Proceedings
NOYB has already expressed its concerns regarding the DPF. They argue that the framework is practically the same as the previously invalidated Privacy Shield and Safe Harbour agreements. Accordingly, the NOYB highlights specific issues, inter alia:
- Bulk Surveillance and Proportionality: US bulk surveillance
would still not satisfy the principle of proportionality as defined
by the CJEU, despite the signature of the US Executive Order on
'Enhancing Safeguards for United States Signals Intelligence
Activities', on 7 October 2022 by President Biden. This
Executive order introduced new binding safeguards to address the
points raised by CJEU in Schrems II in July 2020, such as
the limitation of access by US intelligence agencies only to what
is necessary and proportionate.
- Redress Mechanism: NOYB criticizes the redress mechanism of the
DPRC established within the DPF, stating that the new provisions
fall short of complying with Article 47 of the EU Charter,
providing for the "Right to an effective remedy and to a fair
trial". The renamed mechanism would lack direct interaction
between individuals and th newly established redress bodies,
potentially hindering effective redress.
- Non-US Persons' Privacy Protections: The US refusal to reform FISA 702, being a key provision of the FISA Amendments Act of 2008 that permits the government to conduct targeted surveillance of foreign persons located outside the US, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information, remains a concern.
4. Review & Enforcement
The adequacy decision took effect immediately upon its adoption
on July 10th. The European Commission will continuously monitor
developments in the US and conduct periodic reviews. The first
review will occur within one year, in July 2024. Based on the
outcome of this review, the Commission will determine the frequency
of future reviews, which should take place at least every four
years. Note that adequacy decisions can be adapted or even
withdrawn if there are significant developments affecting the level
of data protection in the third country.
The US DoC will, as already pointed out above, administer the
framework, process certification applications and monitor ongoing
compliance. The effective enforcement of compliance by US companies
however, falls under the responsibility of the US Federal Trade
Commission (FTC), who will enforce the DPF through
ex-officio investigations as well as complaint-handling.
5. Conclusion
The EU-US Data Privacy Framework can be seen as a next step in facilitating secure data transfers between the EU and the US. The framework introduces binding safeguards and mechanisms to address concerns raised by the CJEU in its earlier case law.
However, criticism and potential legal challenges from organizations like NOYB highlight the ongoing debate surrounding the effectiveness and alignment of the DPF with EU data protection standards. Continuous monitoring and periodic reviews will be crucial to ensure the framework's adequacy remains intact, providing a secure foundation for transatlantic data flows. Until any potential invalidation, which will most likely not happen in the first couple of years (unless the DPF would not even survive its first annual review by the European Commission), companies can nonetheless rely on the DPF to lawfully transfer personal data to adhered companies in the US, without needing to perform DTIA's or to rely on other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.