The European Commission has adopted the EU-US Data Privacy Framework on July 10, 2023, which clarifies the rules for personal data transfer from controllers or processors within the EU to such certified organisations in the US.
President Ursula von der Leyen says that “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
Whilst, the Commission declares that the new measures and applications are far more than the ones existed in the Privacy Shield, noyb which is led by privacy activist Max Schrems announced that they will challenge the Framework as it is largely the copy of failed Privacy Shield.
What is determined under the Framework?
The Commission declares that the EU-US data transfer ensures the adequate level of protection for those organisations being included in the Data Privacy Framework List which is published by the U.S. Department of Commerce.
It is said that the Framework announces new binding rules in order to comply with the European Court of Justice’s ruling, especially US Intelligence Service’s access to the EU data only limited to necessary and proportionate processing and establishment of a Data Protection Review Court (DPRC) which is the authority where EU individuals may apply.
As the Commission also affirms that, under this new regime the DPRC is able to delete the transferred data if it detects that the collection of data is against to these new safeguards.
Since the effective date, the US organisations which are subject to the transatlantic data transfers must be included in the list and the processing might be held under the adequacy decision without the application of the mechanisms set out under Article 46 of GDPR.
There are several redress mechanisms enabling the data subjects whose data is transferred in case that they object to the compliance of this processing with the DPF.
The redress mechanism in the area of national security shall be submitted to the data subjects’ national data protection authority. After that compliant will be handed to the EDPB, they will also transfer the complaint to the US authorities.
It can be seen that the Principles define the personal data, processing, controller and processors as same as the Regulation (EU) 2016/679.
The system is based on a set of privacy principles. In order to be granted for a certification, an organisation must fall into the scope of the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT) and therefore the principles shall apply right after the certification. By this way, the US companies will commit that they comply with a set of privacy obligations such as data deletion – where the processing is no longer necessary for the purpose of processing etc.
Also it has been assured that the US legal framework ensures several safeguards in order to determine the scope of processing limited to necessary and proportionate which is set out by US public authorities for national security purposes.
All in all, the Commission asserted that such new safeguards are introduced and the processing will be proportionate between the national security purposes of the US and EU data subjects’ rights.
noyb arises its concerns regarding the new Framework
Right after the EU-US Data Privacy Framework has been adopted, Max Schrems said that “We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now.”
Within the past, the CJEU has annulled the Commission Decision called Safe Harbor in C-362/14 (“Schrems I”) in 2015, due to US surveillance laws. In 2016, the European Commission has passed the Decision named “Privacy Shield” regarding the EU-US Data Transfers which was invalidated by the CJEU in C-311/18 (“Schrems II”) in 2020 largely on the same grounds, says the noyb.
Despite that the Commission is pleased with the result of agreement with the US, it can be said that the Framework will be challenged in a close future – most probably before the Framework’s first review by the European Commission, together with representatives of European data protection authorities and competent US authorities.