Third times a charm? The new EU-US Data Privacy Framework

This decision became necessary after the Court of Justice of the European Union’s (CJEU)’s Schrems II ruling in July 2020, which invalidated the EU-US Privacy Shield, DPF's predecessor. The Court’s principal concerns in Schrems II were that US public authorities' use of and access to EU data were not restricted by the principle of proportionality, and that there were no effective redress mechanisms for EU data subjects to challenge surveillance practices. The US has since introduced safeguards via an Executive Order in October 2022 and an associated Regulation issued by the US Attorney General establishing a new Data Protection Review Court. These changes are described in detail in the decision. The decision was immediately effective – i.e. as of 10 July 2023 and the official DPF website will be operational from 17 July.

What does this mean for transfers of personal data to organisations which self-certify under the DPF?

The DPF is a modification of the prior EU-US Privacy Shield. The European Commission’s decision means that personal data can be transferred from the EU to companies which self-certify under the DPF without any other data transfer mechanisms (like Standard Contractual Clauses s or Binding Corporate Rules). Further, organisations transferring personal data to importers who participate in the DPF will not need to carry out transfer risk assessments, because the DPF benefits from an adequacy decision.

What does this mean for other transfers of personal data to the US – ie using SCCs or BCRs?

Here, organisations are obliged to continue conducting a transfer impact assessment, (TIA) along with using SCCs, as mandated by the Schrems II decision of the CJEU. However, the sections of the TIA which consider public authorities’ ability to access and use transferred personal data should reflect the content of the adequacy decision. In the light of the Commission’s positive assessment of these changes, data exporters should confidently be able to conclude that US law meets EU requirements in this regard.

What does this mean for organisations that are self-certified under Privacy Shield or who want to participate in the DPF?

Companies that have continued their participation in Privacy Shield should find it relatively easy to convert their Privacy Shield participation into DPF participation. Such organisations must update references in their privacy policies to the “EU-US Data Privacy Framework Principles” within three months (EU-US Data Privacy Framework Principles). Otherwise, as long as a company continues to comply with the principles, the transition is automatic. The US Department of Commerce (“DOC”) DoC states "the process to self-certify and re-certify annually will remain substantively the same".

Companies that are part of the DPF will need to comply with the principles of the DPF. These Principles are substantially similar to those under the Privacy Shield. The DOC states: "the EU-U.S. DPF will not create new substantive obligations for participating organizations with regards to protecting EU personal data [compared to the EU‑US Privacy Shield Framework]. The privacy principles […] will remain substantively the same."

While the Principles retain the headings as used under the Privacy Shield. There are some minor differences to the supplemental principles. For example, there are also some differences in the way that annual fees are paid, for example the former USD 500 cap is removed. There are also some minor changes to self-certification. The DPF requires the organization to list more contact details and the names of any U.S. entities or subsidiaries. The DPF also introduces a more detailed procedure for Program departure, specifying that the organization must communicate whether it intends to retain, return, or delete the data upon withdrawal. Participants must also give more details where there is a corporate status change and gives more specific options for the resulting entity's participation in the DPF.

Enforcement of the DPF itself continues to be by the Federal Trade Commission (FTC) and the Department of Transport (DoT). The European Commission will monitor the DPF through periodic checks and ensure compliance by US authorities. There is also a provision for a periodic joint review by the EU and US. If the US does not meet its commitments, the DPF could be suspended by the EC.

The US Government has implemented a two-tier mechanism to address complaints from individuals in the EEA where data has been transferred to the US, in respect of access by US intelligence agencies. Individuals can submit complaints to their national data protection authority, which are then passed to the United States via the European Data Protection Board. The initial investigation of complaints is performed by the US intelligence community's 'Civil Liberties Protection Officer'. If needed, individuals can appeal a complaint to the newly established Data Protection Review Court (DPRC), an independent entity comprised of individuals who are not part of the US Government. The DPRC can enact binding decisions, including the ability to order the deletion of improperly collected data. Throughout the investigation, the court appoints a special advocate to represent the complainant's interests. Once the investigation concludes, the complainant is informed that either no violation of US law was identified, or that a violation was found and remedied. A reasoned decision of the court can be released later once and if confidentiality requirements have concluded.

What’s next?

UK Extension

The decision sets the stage for the proposed UK Extension to the Data Privacy Framework facilitating data flows between the UK and the US to be introduced under UK law. Such a framework would require the US to designate the UK as a "qualifying state" and the UK Secretary of State to issue an adequacy decision. The Department of commerce has issued an advisory that from 17 July 2023, US organisations that are part of the DPF can also self-certify for the UK Extension but cannot rely on it for UK personal data transfers until the UK adequacy regulations come into force. There is no clear timeline for establishing the UK extension, but this is understood to be a priority.

Swiss-US DPF

On 17 July the Swiss-U.S. DPF will also become operational. Members certified under the Swiss-U.S. Privacy Shield Framework will seamlessly transition into the new framework. However, as with the UK, transfers cannot be made until Switzerland issues an adequacy decision.

NOYB challenges

NOYB indicated it will appeal the framework, noting the "third attempt of the European Commission to get a stable agreement on EU-US data transfers will likely be back at the Court of Justice (of the European Union) in a matter of months." NOYB, and Max Schrems believe that this does not address "fundamental" surveillance issues. They allege that the Executive Order does not sufficiently curtail US surveillance (to the proportionality standard allowed under the EU) or offer effective legal redress.

A particular concern raised by both noyb and the EDPB relates to the secrecy surrounding the DPRC’s court process. In particular, data subjects are unable to be heard themselves before the court, with the procedure instead being instigated on their behalf by their local DPA and advocated by an appointed special advocate, and they will not be able to access the reasoned decisions granted by the courts unless they are declassified, with the courts having no ability to determine this classification. Such situations have previously been considered by the European Court of Human Rights (e.g. Kennedy v United Kingdom) and the CJEU (e.g. Kadi II). These cases note that the relevant rights to an oral hearing and a reasoned judgement can be curtailed in the interests of national security, but that curtailment has to be limited and proportionate. In general, both the ECtHR and CJEU have only approved of situations where the court or tribunal has the discretion to determine the openness of the proceedings and the reasoned decision based on the circumstances of the specific case. With the DPRC, the openness of the proceedings can be mitigated by the availability of special advocates; however, the only mitigation with regards to the reasoned decision is that it may be released later, but this will not be at the discretion of an independent body. This is likely to be a focus in the inevitable Schrems III case. In the meantime, the adequacy decision should enable data flows to continue and should protect those who export personal data to the US including when transfer rely on mechanisms such as (standard contractual clauses) and (binding corporate rules) rather than on the DPF itself.