The New EU-US Data Privacy Framework
On 10th July 2023 the European Commission (“EC”) adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (“DPF”) and the DPF has entered into force with immediate effect. The DPF is a self-certification programme, similar to the previous EU-US Privacy Shield which allows companies to transfer data freely from the European Economic Area (EEA) to the USA.
Why is this significant?
This adequacy decision became necessary following the judgment handed down by the Court of Justice of the European Union (CJEU) in Schrems II in July 2020 which struck down the previous EU-US Privacy Shield. CJEU’s concerns were that the US public authorities' use of and access to EU data were not restricted by the principle of proportionality. This concern arose from alleged ‘spying’ by the US Government enabled by invasive US surveillance laws including FISA 702. The Court was also concerned that there were no effective redress mechanisms for EU data subjects to challenge surveillance practices.
As a consequence, for the past three years, organisations have been required to put in place appropriate safeguards and carry out a Transfer Impact Assessment (TIA) in respect of any trans-Atlantic data transfers. Following this decision, transfers to US organisations who are signed up to the DPF will be considered “adequate”.
The new framework seeks to address the concerns raised by CJEU by introducing new binding safeguards, including: limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a two tier redress mechanism including a Data Protection Review Court, which will independently investigate complaints lodged by Europeans.
How does it work?
US companies will be able to join the EU-US Framework by self-certifying their commitment to comply with a detailed set of privacy obligations (the "EU-US Framework Principles"), e.g. the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected. The EU-US Framework Principles are an updated version of the principles established under the Privacy Shield framework and organisations that were already certified under the Privacy Shield framework will still be required to self-certify under the EU-US Framework.
However, not all US companies are eligible to self-certify. Only those companies who are subject to the investigatory and enforcement powers of the Federal Trade Commission and Department of Transportation will be able to certify under the DPF.
What does this mean for the UK?
The DPF does not apply to data transfers from the UK to the US, however, it adds momentum to the UK’s efforts to put in place its own version of the framework. On 8 June 2023, UK and US officials announced that they had reached a commitment in principle to establish a data bridge between the two countries ("UK-US Data Bridge") aimed at creating a mechanism for transatlantic flows of personal data. Given the trade links between the two countries a US adequacy decision is likely to be a top priority for the UK Government.
Is the DPF here to stay?
It seems inevitable that the DPF will be subject to future litigation from NOYB and its co-founder Max Schrems who was responsible for invalidating the previous Privacy Shield in Schrems II. NOYB has announced that it will appeal the DPF stating “the third attempt of the European Commission to get a stable agreement on EU-US data transfers will likely be back at the Court of Justice (of the European Union) in a matter of months." NOYB, and Max Schrems believe that the Framework does not address "fundamental" concerns around US surveillance.
Pending litigation aside, the DPF is now binding meaning that EU and US companies can begin to take advantage of the benefits it confers in relation to transatlantic data flows. However, organisations should be cautious about renegotiating contracts and abandoning any Standard Contractual Clauses or appropriate safeguards which are already in place. Rather organisations should prepare for the likely Schrems III case by having contingency plans in place in the event that this Framework is invalidated like its predecessors.
If you would like any further information or advice, please contact Laura Cunningham from the Commercial team.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.