With the new EU-U.S. Data Privacy Framework, a new data protection agreement has now been agreed between the EU and the United States. The agreement confirms an adequate level of data protection for certified US companies. However, the EU-U.S. Data Privacy Framework should be treated with caution, as the decision is more likely to pave the way for a third round at the Court of Justice of the European Union (CJEU).
We explain what companies in the EU can do now, whether the EU-U.S. Data Privacy Framework is a sustainable solution and what alternatives are available.
Current status of the EU-U.S. Data Privacy Framework
The EU Commission adopted the adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023. This means that personal data can be transferred from the EU back to the U.S. without the need for further additional safeguards. However, this only applies to organisations that join the EU-U.S. Data Privacy Framework.
The majority of member states have also spoken out in favour of the adequacy decision.
Update, September 2023
It took less than two months for the first lawsuit against the EU-U.S. Data Privacy Framework. French parliamentarian Philippe Latombe (a member of the Mouvement Démocrate party), acting as a private citizen, has reached out to the EU General Court to have the Data Privacy Framework annulled.
According to Latombe, the agreement violates the EU Charter of Fundamental Rights because it does not provide sufficient guarantees for respect for private and family life with regard to the extensive surveillance possibilities and no guarantees for the right to an effective remedy and access to an impartial court.
Moreover, there is a formal breach as the EU-U.S. Data Privacy Framework has been drafted or available as an English language version since its entry into force on 10 July 2023. However, Art. 4 of EU Regulation No. 1 requires that “Regulations and other documents of general application shall be drawn up in the official languages.” That is currently 24 official languages.
However, it is questionable whether Latombe’s lawsuit is admissible. Private individuals can only bring an action before a European court if they are individually affected by the relevant Commission decision (Art. 263 TFEU).
Max Schrems, on the other hand, is planning a different path. As soon as companies invoke the new EU-U.S. Data Privacy Framework, he will take legal action against it before national courts, which will then probably refer the case to the CJEU.
Why is the EU-U.S. Data Privacy Framework needed?
If personal data is to be transferred to a third country (i.e. outside the EU or the European Economic Area – EEA), the EU General Data Protection Regulation (GDPR) requires additional guarantees. This can be, among other things, an adequacy decision of the EU Commission, which states that an adequate level of data protection exists in the recipient country or can be achieved through additional measures.
One such adequacy decision is the EU-U.S. Data Privacy Framework. It already had two predecessors:
- Safe Harbor, declared invalid by the CJEU in 2015 in the so-called Schrems ruling,
- EU-U.S. Privacy Shield, 2020 overturned by the CJEU in the so-called Schrems II ruling.
The EU-U.S. Data Privacy Framework is thus the third attempt by the EU Commission to allow transfers of personal data to the U.S. without additional safeguards such as Standard Contractual Clauses (SCCs).
What does the (new) EU-U.S. Data Privacy Framework regulate?
U.S. companies can join the EU-U.S. Data Privacy Framework by committing to detailed data protection obligations (as with the EU-U.S. Privacy Shield). These include, for example, obligations to delete personal data when the purpose for which it was collected has been achieved, or to ensure the continuity of protection when personal data is transferred to service providers or third parties.
On the American side, the U.S. Department of Commerce handles applications for certification and compliance monitoring.
The new data protection agreement between the EU and the U.S. brings with it – at least on paper – some improvements over its predecessors. New binding safeguards are introduced, in particular to address the concerns expressed by the CJEU. It is foreseen that access by U.S. intelligence services to EU data will be limited to what is necessary and proportionate. It also introduces a Data Protection Review Court (DPRC) to which EU data subjects will have access.
The full text of the EU-U.S. Data Privacy Framework is available as a PDF here.
The EU Commission, together with representatives of the European data protection authorities and the competent U.S. authority, will regularly review the functioning of the EU-U.S. Data Privacy Framework. The first review will take place already one year after the entry into force of the adequacy decision to determine whether all relevant elements have been fully implemented in the U.S. legal framework and are actually functioning in practice.
What does the EU-U.S. Data Privacy Framework mean for companies in the EU?
The new agreement promises companies the long-awaited legal basis that was previously lacking for transferring personal data to the U.S. After a three-year stalemate, which is now coming to an end, companies will once again have legal certainty.
However, it is also certain that this new regulation will again be reviewed by the courts. The data protection activist Max Schrems and his NGO none of your business (noyb), who have already ensured the overthrow of the two previous agreements with the U.S., have already announced a lawsuit.
The new EU-U.S. Data Privacy Framework is again a sectoral approach, whereby personal data may only be transferred to organisations that have certified themselves with the U.S. Department of Commerce. The corresponding list is provided by the U.S. Department of Commerce. EU companies must therefore first check whether the American company is certified. If this is the case, personal data can be transferred to these companies without applying additional data protection safeguards, such as standard contractual clauses (SCCs).
But even with U.S. companies that are not certified, it could be easier to exchange data in the future. Unless a U.S. company is certified, data transfer is possible subject to appropriate safeguards, such as SCCs. Finally, the safeguards put in place by the U.S. government in the area of national security (including the redress mechanism) apply to all data transfers, regardless of the transfer mechanisms used. Companies basing data exchanges on SCCs, while required to conduct the mandatory data transfer impact assessment (TIA) in Clause 14 SCC, should now find it easier to conclude that U.S. law and practice do not prevent the data importer from fulfilling its obligations.
How can companies in the EU use the EU-U.S. Data Privacy Framework?
The following steps are necessary for companies that want to transfer personal data from the EU to the US:
- Check if the service provider is listed on the U.S. Department of Commerce list (available as of 17 July 2023).
Listed or certified service provider
- Also critically check in which other third countries the U.S. company uses subcontractors. If so, question whether sufficient guarantees are in place and whether a TIA has been carried out.
- Adjust your information letters and privacy statements regarding third country transfers accordingly.
- Companies relying on the new agreement must remember existing SCCs can be terminated. These are, after all, only a contractual arrangement between the parties. Clause 16 e) states that SCCs remain valid until one party withdraws consent. Please also note that should SCCs be terminated a data processing agreement/contract will be required, if the SCCs were being used as the data processing agreement/contract.
Non-listed or certified service provider
- Ensure sufficient safeguards according to 46 GDPR, for example SCCs.
- As part of a Transfer Impact Assessment (TIA), assess whether the personal data in the recipient country is protected within an equivalent level of data protection as in the EU. If necessary, take additional measures to guarantee the protection of the personal data of the data subjects.
Conclusion: Only a brief ray of hope
Even if there is calm now and the EU adequacy decision will make data transfers between the EU and the U.S. much easier, this should probably be taken with a grain of salt. There is no question that the adequacy decision will be challenged and referred to the CJEU for review.
A judgment could also be reached significantly faster this time, as essentially not much has changed. The new agreement is largely a copy of old principles. In reality, the U.S. intelligence services continue to have far-reaching surveillance possibilities and the appeal procedure is also bordering on a farce.
Companies in the EU that are now counting on this adequacy decision should be warned and take it with a pinch of salt. Furthermore, it is often not considered that American companies also use service providers located in other third countries, such as India, China, etc. This means that it is not sufficient for a U.S. company to be certified under the new data protection framework. It is also necessary to check which subcontractors are used and whether they have suitable guarantees in accordance with Art. 46 GDPR.
From an economic point of view, a stable data protection agreement with the USA would be very welcome. Until then, we recommend using European service providers whenever possible.