Basically, all business models involving tech are inconceivable without services from American companies. Data transfers to these companies can therefore hardly be avoided. However, many of these data transfers involve personal data, so that European data protection law, in particular the General Data Protection Regulation (GDPR) must be observed. The GDPR stipulates various requirements for data transfers to areas outside the European Economic Area (EEA) - so-called "third countries", such as the U.S. An important basis for data transfers to third countries are so-called “adequacy decisions”: Personal data may be transferred to those third countries for which the EU Commission has decided that the third country in question offers an adequate level of data protection.
Such an adequacy decision existed for the U.S. with the "Privacy Shield" agreement from 2016. However, the European Court of Justice (ECJ) declared this adequacy decision invalid in its "Schrems II" ruling of July 16, 2020. The European Court of Justice concluded that the Privacy Shield allowed for too broad access rights by U.S. intelligence services. It gave undue priority to the requirements of national security, public interest and compliance with U.S. law, which did not limit intrusions to a proportionate level - more than only the mandatory data could be collected. Furthermore, no appropriate legal remedies had been provided to the data subjects in case of unlawful data access by the intelligence services.
After the ruling, companies certified under the Privacy Shield were factually compelled to conclude so-called “standard contractual clauses” as an alternative measure to justify the data transfers. However, relying on the standard contractual clauses proves to be a complex challenge in practice. Because of the effort involved, there has always been a desire for a new edition of the Privacy Shield.
After negotiations with the EU Commission the Biden Administrations promised to reign in the secret surveillance. The Commission, confident that the US assurances will stand a new test by the ECJ, presented a draft new adequacy decision on 14 December 2022, the “Data Privacy Framework” or “DPF”.
In order to benefit from the adequacy decision of the EU Commission, U.S. Data importers must submit to and self-certify under the DPF Principles. These correspond to the principles already developed for the Privacy Shield, so that presumably all companies that have already been certified under it could also be certified under the DPF. Businesses can only be certified under DPF if they are subject to regulation by the U.S. Federal Trade Commission or the U.S. Department of Transportation. The certification will only be accepted by the Department of Commerce if the U.S. businesses commit to adhering to seven principles, namely:
In addition, there are supplementary principles and special provisions for special types of data, such as from employment relationships, medical research or journalistic activities. The self-certification must be repeated annually.
The two biggest differences between the DPF and its predecessor concern the intelligence agencies’ obligations:
In particular, the intelligence agencies should be able to carry out bulk surveillance in exceptional cases only. Furthermore, they should limit their activities to cases mentioned in the Executive Order (e.g. counter-terrorism) while maintaining proportionality.
Furthermore, an independent review procedure is introduced to deal with complaints of EU citizens related to suspected unlawful processing of their data by intelligence agencies . A Civil Liberties Protection Officer of the Director of National Intelligence (ODNI CLPO) and a Data Protection Review Court (DRPC) are to examine data processing by intelligence agencies and remedy abuses on complaints from those affected. The intelligence agencies are obliged to implement the decisions of these bodies. Under the Privacy Shield a Privacy Shield Ombudsperson could issue a report and ask the surveillance authorities to remedy deficiencies, but they were not legally obliged to act according the Ombudsperson’s advice.
The entry into force of the DPF depends on two factors:
i. U.S. intelligence agencies must actually implement the requirements laid out in the Executive Order and
ii. the US government must still explicitly recognize the European Union as a qualified entity within the meaning of the Executive Order.
Once the adequacy decision is in force, it will form the basis for data transfers for the following years. For how long remains to be seen – it is only a matter of time until the matter is brought before the ECJ, who will have to decide on the future of the DPF.
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.