On 10 July 2023, the European Commission adopted a decision on the adequacy of data protection in the United States in relation to the EU-US Data Privacy Framework (DPF). An adequate level of data protection means a level of protection essentially equivalent to that guaranteed in the European Union.
As a result of the decision, personal data can be transferred from the EU to DPF-certified US companies without additional safeguards – i.e. transfers will take place under the same conditions as transfers of personal data within the EU. Companies have been able to apply for DPF certification since 17.7.2023, so this is a very recent arrangement.
All valid DPF certifications can be found on the DPF website under 'Data Privacy Framework List'.
Legal environment pre-decision
The DPF is comparable to the previous Safe Harbor (2000-2016) and Privacy Shield (2016-2020) frameworks, under which an EU entity was legally allowed to transfer data to a U.S. service provider that was Safe Harbor or Privacy Shield certified. These arrangements were annulled by the famous Schrems I and II rulings (C-362/14 and C-311/18) of the Court of Justice of the European Union (CJEU) on the grounds that US legislation was incompatible with EU law. In particular, the incompatibility was based on the following two factors:
- U.S. legislation allowed U.S. intelligence services too wide access powers to personal data processed in the United States.
- US legislation did not provide adequate legal remedies for EU data subjects.
In the legal environment prior to the Commission's decision, the transfer of personal data to the United States was, to say the least, legally uncertain and de facto prohibited. This was because, although the transfer of personal data to the United States was theoretically possible, for example, under the Commission’s Standard Contractual Clauses (better known as SCCs), it was virtually impossible for companies to impose required additional safeguards that would have adequately compensated for the shortfall in the US legal environment in relation to the level of protection required by the EU.
The DPF applies only to U.S. companies that commit to the data protection principles provided in the DPF and certify their commitment with the U.S. Department of Commerce. The DPF data protection principles guarantee EU data subjects a number of rights in line with GDPR legislation, such as access to personal data collected about them and the right to rectification or erasure of inaccurate or unlawfully processed data concerning them. In addition, the DPF offers various remedies in case their personal data is wrongly handled, such as a free and independent dispute resolution mechanism.
However, these principles, dispute resolution mechanisms and the self-certification scheme do not involve any significant changes compared to the previous Privacy Shield system. In fact, the headings of the DPF-principles have been left the same as in the previous system, and there are no significant differences between the texts themselves. It would therefore not be incorrect to claim that the DPF and its annexes are merely a slightly updated copy of the Privacy Shield System.
The most relevant updates to the US-EU data protection environment are the safeguards put in place by the United States, on which an agreement in principle was reached between the US and the European Commission in March 2022, which was subsequently implemented by the Executive Order of the President of the United States of October 2022 and the related regulations adopted by the US Attorney General.
As a result of the agreement, the following safeguards have been introduced in the United States:
- Binding safeguards to limit access to personal data by U.S. intelligence authorities to what is necessary and proportionate to protect national security;
- Enhanced oversight of activities by U.S. intelligence services to ensure compliance with limitations on surveillance activities; and
- The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by U.S. national security authorities.
The European Commission's adequacy decision in relation to the EU-US data protection framework is therefore mainly based on the implementation of these safeguards, which aim to address the shortcomings identified by the CJEU Schrems II ruling.
Impact on other personal data transfer mechanisms
The above-mentioned updates to the U.S. data protection level apply not only to transfers of personal data under the new DPF – but to all transfers of personal data to the U.S. As a result, the legal situation will also provide additional protection for transfers of personal data not subject to the DPF. In the current legal situation, personal data can therefore also be transferred to the U.S. under other appropriate transfer mechanisms of the GDPR, such as the SCCs or Binding Corporate Rules.
However, in the case of these alternative transfer mechanisms, irrespective of any improvement in the legal situation, the contracting parties must carry out a case-by-case assessment of whether the transfer of personal data guarantees a level of data protection equivalent to EU requirements and assess the need for additional safeguards (transfer impact assessment - TIA). This is based on the Schrems II ruling and the recommendations of the European Data Protection Board (EDPB).
The DPF will clarify and facilitate the transfer of personal data across the Atlantic. It will also reduce the risks repercussions in connection to illegal transfers of personal data such as administrative fines, cease and desist orders by authorities or reputational damage. In principle, every larger U.S. company (e.g. Google and Microsoft) will likely be DPF certified – and the mentioned companies already are.
However, it is expected that the DPF will experience the same fate as the Safe Harbour and Privacy Shields in the coming years, as US law continues to allow very broad access powers to personal data processed in the United States that it is likely to continue to conflict with EU law. The DPF can therefore be understood as a political arrangement between the EU and the US – enabling legal personal data transfers between regions until the CJEU intervenes (presumably).
The influential data protection rights NGO NOYB (Non Of Your Business) has already announced that it will take the new DPF system to court. The founder of the organization is Maximilian Schrems – a person who was a driving force in previous Schrems I and II cases. It is therefore very likely that we will soon see the Schrems III case before the CJEU.
Our Associate Trainee Savva Kuparinen took part in writing this article.