Basically, all business models involving tech are inconceivable without services from American companies. Data transfers to these companies can therefore hardly be avoided. However, many of these data transfers involve personal data, so that European data protection law, in particular the General Data Protection Regulation (GDPR) must be observed.
The GDPR stipulates various requirements for data transfers to areas outside the European Economic Area (EEA) - so-called "third countries", such as the U.S. An important basis for data transfers to third countries are so-called “adequacy decisions”: Personal data may be transferred to those third countries for which the EU Commission has decided that the third country in question offers an adequate level of data protection.
Such an adequacy decision existed for the U.S. with the "Privacy Shield" agreement from 2016. However, the European Court of Justice (CEUJ) declared this adequacy decision invalid in its "Schrems II" ruling of July 16, 2020. The European Court of Justice concluded that the Privacy Shield allowed for too broad access rights by U.S. intelligence services. It gave undue priority to the requirements of national security, public interest and compliance with U.S. law, which did not limit intrusions to a proportionate level - more than only the mandatory data could be collected. Furthermore, no appropriate legal remedies had been provided to the data subjects in case of unlawful data access by the intelligence services.
After the ruling, companies certified under the Privacy Shield were factually compelled to conclude so-called “standard contractual clauses” as an alternative measure to justify the data transfers. However, relying on the standard contractual clauses proves to be a complex challenge in practice. Because of the effort involved, there has always been a desire for a new edition of the Privacy Shield.
After negotiations with the EU Commission the Biden Administrations promised to reign in the secret surveillance. About 1000 days after “Schrems II” the Commission, confident that the US assurances will stand a new test by the CEUJ, on 10 July 2023 presented the EU-U.S. Data Privacy Framework or “DPF”.
The most important points in brief:
Data Importer Obligations:
In order to benefit from the adequacy decision of the EU Commission, U.S. Data importers must submit to and self-certify under the DPF Principles. These correspond to the principles already developed for the Privacy Shield, so that presumably all companies that have already been certified under it could also be certified under the DPF. Businesses can only be certified under DPF if they are subject to regulation by the U.S. Federal Trade Commission or the U.S. Department of Transportation. The certification will only be accepted by the Department of Commerce if the U.S. businesses commit to adhering to seven principles, namely:
- to inform transparently about their data processing (Notice Principle),
- to offer individuals the opportunity to choose (opt out) whether personal information is disclosed to a third party or used for a purpose that is different from the purpose(s) for which it was originally collected (Choice Principle),
- Accept responsibility for onward transfers (Accountability for onward Transfer Principle),
- ensure data security (security principle),
- processing only relevant data (Data Integrity and Purpose Limitation Principle),
- grant data subject rights (Access Principle) and
- enable effective legal protection (Recourse, Enforcement and Liablity Principle).
In addition, there are supplementary principles and special provisions for special types of data, such as from employment relationships, medical research or journalistic activities. The self-certification must be repeated annually.
Intelligence agencies’ obligations:
The two biggest differences between the DPF and its predecessor concern the intelligence agencies’ obligations:
- First, the DPF relies on an Executive Order and not – like Privacy Shield – on a Presidential Policy Directive. Under U.S. law, an Executive Order has likely more force and cannot be secretly repealed.
- Second, in the Executive Order and accompanying regulation, the United States commits itself to ensuring that public authorities act proportionately when accessing personal data from Europe.
In particular, the intelligence agencies should be able to carry out bulk surveillance in exceptional cases only. Furthermore, they should limit their activities to cases mentioned in the Executive Order (e.g. counter-terrorism) while maintaining proportionality.
Furthermore, an independent review procedure is introduced to deal with complaints of EU citizens related to suspected unlawful processing of their data by intelligence agencies . A Civil Liberties Protection Officer of the Director of National Intelligence (ODNI CLPO) and a Data Protection Review Court (DRPC) are to examine data processing by intelligence agencies and remedy abuses on complaints from those affected. The intelligence agencies are obliged to implement the decisions of these bodies. Under the Privacy Shield a Privacy Shield Ombudsperson could issue a report and ask the surveillance authorities to remedy deficiencies, but they were not legally obliged to act according the Ombudsperson’s advice.
Entry into force:
The DPF entered into force on 10 July 2023. It is thus immediately applicable and will remain so for the time being. Only the CEUJ has the power to nullify it.
The Road ahead:
Once the adequacy decision is in force, it will form the basis for data transfers for the following years. For how long remains to be seen – it is only a matter of time until the matter is brought before the CEUJ, who will have to decide on the future of the DPF.
The new EU-U.S. Data Privacy Framework presents both opportunities and challenges, and understanding its implications is key to ensuring compliance and leveraging its benefits.
- Review and Understand the Framework: Familiarize yourself with the key components of the EU-U.S. Data Privacy Framework. Understand the obligations it imposes, the rights it grants, and the mechanisms it provides for redress and compliance.
- Consider Self-Certification: If your organization transfers personal data from the EU to the U.S., consider whether self-certification under the new framework is the right step for you. Review the self-certification process and requirements, and assess your organization's readiness to comply.
- Update Your Privacy Policies and Practices: Review your current privacy policies and practices to ensure they align with the Principles of the new framework. This includes your policies on data access, redress mechanisms, and compliance verification.
- Monitor Updates and Guidance: Stay tuned for further guidance from the U.S. Department of Commerce, especially if you're currently participating in the EU-U.S. Privacy Shield Framework. This guidance will be crucial in facilitating a smooth transition to the new framework.
- Seek Legal Advice: Given the complexities of data privacy laws and the potential implications of non-compliance, consider seeking legal advice. A data privacy lawyer can provide tailored advice based on your organization's specific circumstances and needs.
- Stay Informed: Keep an eye on our Global Data Hub for updates and insights into the world of data privacy. As the situation evolves, we'll continue to provide the latest information and expert analysis to help you navigate these changes.
Remember, the journey to data privacy compliance is ongoing. As the EU-U.S. Data Privacy Framework takes effect, it's more important than ever to stay informed, proactive, and prepared. If you have any questions or need further clarification on any points, feel free to reach out to us. We're here to help you navigate this new era of data privacy.