11 July 2023
Basically, all business models involving tech are inconceivable without services from American companies. Data transfers to these companies can therefore hardly be avoided. However, many of these data transfers involve personal data, so that European data protection law, in particular the General Data Protection Regulation (GDPR) must be observed.
The GDPR stipulates various requirements for data transfers to areas outside the European Economic Area (EEA) - so-called "third countries", such as the U.S. An important basis for data transfers to third countries are so-called “adequacy decisions”: Personal data may be transferred to those third countries for which the EU Commission has decided that the third country in question offers an adequate level of data protection.
Such an adequacy decision existed for the U.S. with the "Privacy Shield" agreement from 2016. However, the European Court of Justice (CEUJ) declared this adequacy decision invalid in its "Schrems II" ruling of July 16, 2020. The European Court of Justice concluded that the Privacy Shield allowed for too broad access rights by U.S. intelligence services. It gave undue priority to the requirements of national security, public interest and compliance with U.S. law, which did not limit intrusions to a proportionate level - more than only the mandatory data could be collected. Furthermore, no appropriate legal remedies had been provided to the data subjects in case of unlawful data access by the intelligence services.
After the ruling, companies certified under the Privacy Shield were factually compelled to conclude so-called “standard contractual clauses” as an alternative measure to justify the data transfers. However, relying on the standard contractual clauses proves to be a complex challenge in practice. Because of the effort involved, there has always been a desire for a new edition of the Privacy Shield.
After negotiations with the EU Commission the Biden Administrations promised to reign in the secret surveillance. About 1000 days after “Schrems II” the Commission, confident that the US assurances will stand a new test by the CEUJ, on 10 July 2023 presented the EU-U.S. Data Privacy Framework or “DPF”.
In order to benefit from the adequacy decision of the EU Commission, U.S. Data importers must submit to and self-certify under the DPF Principles. These correspond to the principles already developed for the Privacy Shield, so that presumably all companies that have already been certified under it could also be certified under the DPF. Businesses can only be certified under DPF if they are subject to regulation by the U.S. Federal Trade Commission or the U.S. Department of Transportation. The certification will only be accepted by the Department of Commerce if the U.S. businesses commit to adhering to seven principles, namely:
In addition, there are supplementary principles and special provisions for special types of data, such as from employment relationships, medical research or journalistic activities. The self-certification must be repeated annually.
The two biggest differences between the DPF and its predecessor concern the intelligence agencies’ obligations:
In particular, the intelligence agencies should be able to carry out bulk surveillance in exceptional cases only. Furthermore, they should limit their activities to cases mentioned in the Executive Order (e.g. counter-terrorism) while maintaining proportionality.
Furthermore, an independent review procedure is introduced to deal with complaints of EU citizens related to suspected unlawful processing of their data by intelligence agencies . A Civil Liberties Protection Officer of the Director of National Intelligence (ODNI CLPO) and a Data Protection Review Court (DRPC) are to examine data processing by intelligence agencies and remedy abuses on complaints from those affected. The intelligence agencies are obliged to implement the decisions of these bodies. Under the Privacy Shield a Privacy Shield Ombudsperson could issue a report and ask the surveillance authorities to remedy deficiencies, but they were not legally obliged to act according the Ombudsperson’s advice.
The DPF entered into force on 10 July 2023. It is thus immediately applicable and will remain so for the time being. Only the CEUJ has the power to nullify it.
Once the adequacy decision is in force, it will form the basis for data transfers for the following years. For how long remains to be seen – it is only a matter of time until the matter is brought before the CEUJ, who will have to decide on the future of the DPF.
The new EU-U.S. Data Privacy Framework presents both opportunities and challenges, and understanding its implications is key to ensuring compliance and leveraging its benefits.
Remember, the journey to data privacy compliance is ongoing. As the EU-U.S. Data Privacy Framework takes effect, it's more important than ever to stay informed, proactive, and prepared. If you have any questions or need further clarification on any points, feel free to reach out to us. We're here to help you navigate this new era of data privacy.
by multiple authors
by multiple authors
by Dr. Nicolai Wiegand, LL.M. (NYU) and Alexander Schmalenberger, LL.B.