The decision marks a significant stride towards eliminating uncertainty in most EU-US data flows, including those involving cloud services and international conglomerate groups that exchange data in the course of their intra-group business dealings.
Background to the DPF
A brief recap: the General Data Protection Regulation (GDPR) requires that transfers of personal data to a country outside the European Economic Area (EEA) without appropriate safeguards is only permissible if that country ensures an adequate data protection level. Determination thereof can be made on the basis of an adequacy decision issued by the European Commission. An adequacy decision means that the European Commission has determined that the level of data protection legislation of a third country is essentially equivalent to the GDPR, and thereby constitutes legal grounds for a data transfer.
The DPF's predecessor, the EU-US Privacy Shield Agreement (Privacy Shield), benefitted from such an adequacy decision. It ensured that data transfers to recipients in the US adhered to the GDPR, provided that those recipients self-certified their compliance with the principles set forth under the Privacy Shield. This informal arrangement was invalidated by the Court of Justice of the European Union (CJEU) in 2020 as a consequence of the Schrems II judgment, due to the far-reaching possibilities of bulk and disproportionate data surveillance that existed under the US national security laws.
Another criticism was that there was no authority capable of making binding decisions on surveillance authorities independently from the US Government. As a consequence of Schrems II, companies could no longer merely rely on standard contractual clauses (SCCs) for transatlantic data transfers. They needed to adopt additional safeguards such as pseudonymisation, encryption, and data transfer impact assessments (DTIAs). The Schrems II case succeeded the 2016 Schrems I-judgment whereby the US Safe Harbour adequacy decision, the predecessor of the EU-US Privacy Shield, was invalidated for similar reasons.
On 7 October 2022, President Biden signed Executive Order (EO) 14086, introducing new legal safeguards concerning the use of EU citizens' personal data by US security agencies, thereby attempting to address the concerns brought up by Schrems II. In general, it has had a positive impact on other data transfers to the US, since the safeguards also apply when data is transferred by using tools such as SCCs or binding corporate rules. It is widely agreed that this executive order positively influenced the European Commission's choice to adopt its adequacy decision for the DPF, thereby forming a critical component of its origin.
What does the DPF and EO 14806 entail?
The EU-US Data Privacy Framework firstly appreciates the new set of rules and binding safeguards regarding data access by US public authorities, in particular for criminal law enforcement and national security purposes under EO 14086. The latter provides that data access in the context of signals intelligence collection is limited to what is necessary and proportionate to protect national security. For instance, the framework outlines the legitimate objectives that intelligence agencies may pursue to collect signals intelligence. These objectives must be further substantiated into concrete priorities, with privacy considerations taken into account. The requirements of necessity and proportionality directly reflect the legal framework of EU data protection law.
Furthermore, EO 14086 provides for improved redress mechanisms, including a Data Protection Review Court (DPRC) that functions as an independent authority – one of the main criticisms to the previous Privacy Shield. After a review of the EU data protection laws (even when it concluded that the EU provides lower protection than the US on some points) – the US accepted the EU as ‘qualifying state’. This allows EU/EEA individuals to lodge a complaint if their personal data is handled in a manner that infringes on the DPF. Such complaints can be submitted to their national data protection authority, which will ensure that the complaint will be properly transmitted to the DPRC. If the DPRC finds that data was collected in violation of the new safeguards, it will, inter alia, be able to order deletion of the data. Those elements led to the European Commission’s positive assessment of the adequacy of the data protection standards in the US, certainly when it comes to enforcement.
The DPF provides stringent standards for the participating US companies processing data transferred from the EU. The data importers that wish to use the DPF have to self-certify that they adhere to several key principles and the standards through the US Department of Commerce. This may take some time to fulfil. There is a fast-track for organisations previously listed in the Privacy Shield, as they are automatically converted and may begin relying immediately on the DPF to receive personal data transfers from the EU/EEA.
Finally, the framework includes specific monitoring and review mechanisms to assess the operations of the DPF, conducted by the European Commission in collaboration with representatives from European data protection authorities and competent US authorities.
A positive step forward…
The DPF is designed to provide a stable and reliable personal data transfer mechanism between the EU and the US while ensuring that the privacy rights of EU citizens are protected. This is a crucial step towards restoring trust in transatlantic data flows following the invalidation of the Privacy Shield agreement, which is extremely important for international conglomerate groups that exchange data as part of intra-group business dealings. In practice, it also means that companies are no longer required to carry out DTIAs and adopt additional safeguards, such as pseudonymisation and encryption. This can save costs and time, and reduce the need for expertise. However, some of these safeguards are security measures that should be implemented anyway where appropriate as per Article 32 GDPR, even with the DPF in place.
… with limitations
Nevertheless, not all support the implementation of the DPF. Previous concerns regarding this framework led to a motion for a resolution, proposed by the chairperson of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. Since the new DPRC is completely operational from the US and under US law, its independence is already being questioned by experts, which may lead to a new ‘Schrems III’.
Another critical note is that the DPF only covers transfers to the US. Other transfer tools and additional safeguards are still required for transfers to other ‘unsafe’ non-EU/EEA jurisdictions such as China and India. Furthermore, US recipients under the DPF must respect the special rules on onward transfers towards subcontractors (sub-processors) and other parties outside the EU/EEA. In the context of cloud services, for example, the list of subcontractors outside the EU/EEA which need to adhere to the GDPR principles is quite impressive. In that regard, the scope of the DPF is limited and should be carefully considered. Lastly, the framework is only open to US entities that subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT). As a result, entities such as public sector entities and financial institutions cannot benefit. In these cases, SCCs must be deployed, although they can be implemented more easily following Executive Order 14086.
Conclusion
In summary, this decision by the European Commission provides a new legal framework for transatlantic data flows and offers a business-friendly alternative to facilitate transatlantic data sharing. However, organisations still must self-certify and rules on onward transfers must be respected towards subcontractors. Even in the worst-case scenario, such as a potential Schrems III, we expect the DPF to stand for years, providing a stable and reliable mechanism for future data transfers.