On July 10, 2023, the European Commission (“Commission“) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). The decision concludes that the United States (“US”) ensures an adequate level of data protection – comparable to that of the European Union (“EU“).
What does this mean for EU Individuals and Businesses?
The much-anticipated decision brings a conclusive resolution to the legal uncertainties surrounding the export of EU users’ data by US companies, an issue that has troubled thousands of businesses in recent years. The General Data Protection Regulation (“GDPR“) empowers the Commission to determine, through an implementing act, whether a non-EU country ensures an “adequate level of protection” for personal data equivalent to that provided within the EU. With the new adequacy decision in place, personal data can now flow securely and freely from the EU to US companies participating in the EU – US DPF, eliminating the need for additional data protection measures like Standard Contractual Clauses (“SCC“) or Binding Corporate Rules (“BCR“).
Fundamental Principles of the Novel EU-U.S. Data Privacy Framework
A new set of rules and binding safeguards limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
A new two-tier redress system to investigate and resolve complaints of Europeans on access to data by US Intelligence authorities, which includes a Data Protection Review Court (“DPRC“). Individuals can submit a complaint to their national data protection authority, even if they don’t know if US intelligence agencies collected their data. Afterward, DPRC will independently investigate and resolve complaints, including by adopting binding remedial measures;
Strong obligations for companies processing data transferred from the EU include the requirement to self-certify that they adhere to the standards through the US Department of Commerce.
US companies can join the EU-U.S. DPF by pledging to adhere to a comprehensive set of privacy obligations. These obligations include deleting personal data when it’s no longer necessary for the original purpose of collection and ensuring the continuous protection of data shared with third parties.
The EU-U.S. DPF introduces enforceable measures that address the concerns highlighted by the Court of Justice of the European Union (“CJEU”) in its Schrems II decision of July 2020. These measures include restricting access to EU data by US intelligence services to what is essential and proportionate and establishing DPRC to handle complaints from European individuals regarding collecting their data for national security reasons.
Compared to the Privacy Shield, the new Framework brings about significant improvements. For instance, if the DPRC determines that data was collected violating the new safeguards, it will have the authority to mandate the deletion of such data. The enhanced safeguards related to government access to data will complement the obligations required of US companies importing data from the EU.
EU individuals will benefit from several redress mechanisms if US companies wrongly handle their data. The safeguards put in place by the US will also facilitate transatlantic data flows more generally since they also apply when data is transferred by using other tools, such as SCCs and BCRs.
Looking to the Future
The adequacy decision came into effect upon its adoption on July 10, 2023. To ensure the ongoing protection of personal data belonging to individuals in the EU, the Commission will conduct periodic reviews of the EU-U.S. DPF. The first review is scheduled to occur within a year of the EU-U.S. DPF’s operation.
Stay tuned for further details on the EU-U.S. DPF and the self-certification process, which will be revealed on the US Department of Commerce’s dedicated EU-U.S. DPF website. The US Department of Commerce manages and oversees the Framework, while the US Federal Trade Commission will be vigilant in enforcing compliance among US companies.
Making a Change or Putting a Band-Aid on the Data Transfer Issue?
The transfer of personal data from the EU to the US was ruled illegal by the CJEU in two landmark cases, with the latest one being Schrems II, which highlighted concerns about disproportionate access and inadequate protection of European bulk data by US security agencies. After the CJEU invalidated the previous adequacy decision on the EU-U.S. Privacy Shield, the Commission and the US government engaged in discussions to create a new framework addressing the issues.
Although the EU-U.S. DPF has been well-anticipated and welcomed by many, it is expected to face legal challenges in the future, similar to previous frameworks like Safe Harbour and the Privacy Shield. Privacy activist Max Schrems, who initiated previously mentioned cases, emphasizes that mere claims of being “new,” “robust,” or “effective” won’t suffice in the eyes of the CJEU. Further, Schrems expects the newest version of the adequacy decision “to be back at the Court of Justice by the beginning of next year,” which could “even suspend the new deal while it is reviewing the substance of it.”
Will the CJEU deliver a decisive verdict that sets the stage for a harmonious date flow relationship between the EU and the US? Only time will tell. In the meantime, data keeps flowing, and the EU-U.S. DPF holds the key to a data-sharing saga!
By Milica Novakovic and Nikola Ivkovic, Associates, Gecic Law