The European Commission adopted the EU-US Data Privacy Framework on July 10, 2023, which clarifies the rules for personal data transfer from controllers or processors within the EU to such certified organizations in the US.
President Ursula von der Leyen says “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
Whilst, the Commission declares that the new measures and applications are far more than the ones that existed in the Privacy Shield, noyb which is led by privacy activist Max Schrems announced that they will challenge the Framework as it is largely the copy of failed Privacy Shield.
What is determined under the Framework?
The Commission declares that the EU-US data transfer ensures an adequate level of protection for those organizations being included in the Data Privacy Framework List which is published by the U.S. Department of Commerce.
It is said that the Framework announces new binding rules in order to comply with the European Court of Justice’s ruling, especially the US Intelligence Service’s access to the EU data only limited to necessary and proportionate processing and establishment of a Data Protection Review Court (DPRC) which is the authority where EU individuals may apply.
The Commission also affirms that, under this new regime the DPRC is able to delete the transferred data if it detects that the collection of data is against these new safeguards.
Since the effective date, the US organizations which are subject to transatlantic data transfers must be included in the list and the processing might be held under the adequacy decision without the application of the mechanisms set out under Article 46 of GDPR.
There are several redress mechanisms enabling the data subjects whose data is transferred in case they object to the compliance of this processing with the DPF.
The redress mechanism in the area of national security shall be submitted to the data subjects’ national data protection authority. After that complaint will be handed to the EDPB, which will also transfer the complaint to the US authorities.
It can be seen that the Principles define the personal data, processing, controller, and processors as the same as the Regulation (EU) 2016/679.
The system is based on a set of privacy principles. In order to be granted certification, an organization must fall into the scope of the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT) and therefore the principles shall apply right after the certification. In this way, the US companies will commit that they comply with a set of privacy obligations such as data deletion – where the processing is no longer necessary for the purpose of processing, etc.
Also, it has been assured that the US legal framework ensures several safeguards in order to determine the scope of processing limited to necessary and proportionate which is set out by US public authorities for national security purposes.
All in all, the Commission asserted that such new safeguards are introduced and the processing will be proportionate between the national security purposes of the US and EU data subjects’ rights.
noyb raised its concerns regarding the new Framework
Right after the EU-US Data Privacy Framework was adopted, Max Schrems said “We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law, we will then get an answer if the Commission’s tiny improvements were enough or not. For the past 23 years, all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now.”
In the past, the CJEU has annulled the Commission Decision called Safe Harbor in C-362/14 (“Schrems I”) in 2015, due to US surveillance laws. In 2016, the European Commission passed the Decision named “Privacy Shield” regarding the EU-US Data Transfers which was invalidated by the CJEU in C-311/18 (“Schrems II”) in 2020 largely on the same grounds, says the noyb.
Despite that the Commission is pleased with the result of an agreement with the US, it can be said that the Framework will be challenged in the near future – most probably before the Framework’s first review by the European Commission, together with representatives of European data protection authorities and competent US authorities.