On July 10, 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (“DPF”). The DPF is the successor to the EU-US Privacy Shield, which the Court of Justice of the European Union ("CJEU") declared invalid in 2020.
– Background
The CJEU annulled two previous agreements that allowed the transfer of European citizens’ personal data to the U.S. —a 2000 deal called Safe Harbour and the Privacy Shield dated 2016.
Maximillian Schrems, an Austrian citizen and a Facebook user lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States did not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.
In 2014, the Hight court of Ireland filed a request for a preliminary ruling with the CJEU. In a decision dated October 6, 2015, the CJEU ruled that the “Safe Harbour” agreement that allowed the transfer of European citizens’ personal data to the United States was invalid because it did not adequately protect consumers in the wake of the Snowden revelations https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62014CJ0362) (“Schrems I case”).
On 16 July 2020, the CJEU, in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, invalidated the EU-US Privacy Shield (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:62018CJ0311) (“Schrems II case”).
This decision hinged on the court’s finding that the EU-US framework failed to ensure the protections mandated by the General Data Protection Regulation (GDPR) as it did not provide adequate safeguards to prevent EU data from being provided to US law enforcement or government agencies.
While the Schrems II decision indicated that the Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data outside of the European Union remain valid, it also articulated the need for companies relying on SCCs to assess whether they can maintain an “adequate level of protection” for the personal data given the circumstances of the transfers and the laws of the importing countries.
– What is an Adequacy decision?
An Adequacy Decision is one of the tools provided under the GDPR to transfer personal data from the European Union to third countries which, in the assessment of the Commission, offer a comparable level of protection of personal data to that of the European Union.
As a result of Adequacy Decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland, and Liechtenstein, to a third country, without being subject to any further conditions or authorizations.
In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of personal data.
– What are the consequences of the DPF dated July 10, 2023?
Data importers in the U.S. that would like to benefit from the safeguards of the DPF should take steps to self-certify under DPF and comply with the DPF Principles such as purpose limitation, data minimization and data retention, as well as specific commitments on data security and sharing with third parties.
The commitment to comply with the DPF must be reflected in the privacy notices of such participating U.S. data importers. The Adequacy Decision provides that the DPF Principles apply immediately on certification. Participating organizations are required to recertify their adherence to the DPF Principles on an annual basis.
The DPF will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies keep meeting the certification requirements. Compliance by US companies with their obligations under the DPF will be enforced by the US Federal Trade Commission.
Data exporters in the EU that want to transfer EU personal data under the DPF need to check prior to the transfer on the DPF website whether the recipient in the U.S. is certified under DPF and whether the relevant data transfers is covered by such certification.
To the extent data exporters rely on DPF as legal basis for the transfer, the relevant information in the data exporter’s privacy notice under Art. 13 and 14 GDPR to EU data subjects will need to be updated.
EU data exporters may have reasons to also rely on the SCCs and Binding Corporate Rules (BCR) (especially if these are already in place). In such scenarios, data exporters should take into account the impact of the DPF on the existing data access regime in the U.S. and its impact on the existing SCCs and/or BCR.
– Conclusion – Schrems III?
noyb
is an organization initiated by Max Schrems which brings together a large group of experts and institutions from the privacy, technology and consumer rights sectors from all over Europe and beyond. Max Schrems is the honorary Chairman of this organization.
Noyb recently made the following statement concerning the DPF:
“[…] We expect the new system to be implemented by the first companies within the next months, which will open the path towards a challenge by a person whose data is transferred under the new instrument. It is not unlikely that a challenge would reach the CJEU by the end of 2023 or beginning of 2024. The CJEU would then even have the option to suspend the "Framework" for the time of the procedure. A final decision by the CJEU would be likely by 2024 or 2025. No matter if such a challenge will be successful, this will bring clarity to the "Trans-Atlantic Data Privacy Framework" within about two years” (https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu).
So, will the DPF hold up?
opinion on the draft adequacy decision regarding the EU-U.S. Data Privacy Framework and welcomed substantial improvements, such as the introduction of requirements embodying the principles of necessity and proportionality for U.S. intelligence gathering of data and the new redress mechanism for European data subjects. At the same time, it expressed concerns pertaining to, for instance, a lack of fully independent review of such data collection on the U.S. side and the question as to whether data subjects have enough right of access to their personal data to meet GDPR’s requirements.
On February 23, 2023, the European Data Protection Board (EDPB) adopted its
Concerning the monitoring and the review of the DPF (at that time, the EDPB was assessing the content of what was called the “Draft Decision”), the EDPB stated that, “according to the case law of the CJEU, ‘in the light of the fact that the level of protection ensured by a third country is liable to change, it is incumbent upon the Commission, after it has adopted an adequacy decision pursuant to [Article 45 GDPR], to check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified. Such a check is required, in any event, when evidence gives rise to a doubt in that regard’“ (§242 of the Opinion).
To that effect, the EDPB Chair, Andrea Jelinek, made the following comment: “[…] we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we are committed to contributing to them” (EDPB welcomes improvements under the EU-U.S. Data Privacy Framework, but concerns remain | European Data Protection Board (europa.eu).
Legal analysis of the issue varies.
Some practitioners say that Max Schrems could win a third victory in particular in light of the concerns raised by the EDPB; some even say, like Max Schrems, that changes in U.S surveillance law are needed to make the DPF work.
Others are more optimistic and consider that the EU Commission has reviewed the Executive Order with the Schrems II decision, so in theory, the Adequacy Decision issued on July 10, 2023 should address all issues and concerns raised in the decision handed down by the CJEU on 16 July 2020.
What is clear is that if the new Adequacy Decision was, once again, to be struck down by the CJEU, companies may lose faith in the feasibility of a successful EU-U.S. data transfer framework and turn to SCCs or BCR.
Adequacy Decision available here: https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf
Transfers to the third country can be handled in the same way as intra-EU transmissions of personal data