In the ever-evolving landscape of privacy and data protection, the European Union (EU) and the United States (US) have taken a significant step forward in re-building their relationship, and in particular when it comes to the long-disputed area of international data transfers. In the aftermath of the Court of Justice of the European Union’s (CJEU)’s Schrems II ruling in July 2020, which invalidated the EU-US Privacy Shield, the European Commission has adopted an adequacy decision for a new EU-US Data Privacy Framework (DPF) on the 10th July 2023. This decision has spread hopes that some stability may be secured in this area this time. However, it has only been almost three months since the decision has been reached and there have already been referrals to the CJEU regarding the legality of the framework and the extent to which it provides the necessary safeguards for the protection of personal data transferred to the US as so required under the GDPR.
What is the new DPF?
The new DPF in simple terms allows a transfer of personal data from the EU to organisations in the US which can self-certify under the DPF without the need to apply any other data transfer mechanisms (like Standard Contractual Clauses or Binding Corporate Rules). Furthermore, for transfer to organisations that self-certify under the DPF, there is no need to carry out transfer risk assessments, because the DPF has been granted an adequacy decision.
One of the primary reasons that any of the previous adequacy decisions or framework that would allow a transfer of data across the Atlantic failed, was the concerns over the surveillance powers that US intelligence and Government have over personal data being processed in the US. When adopting its decision, the Commission has said the DPF “introduces new binding safeguards to address all the concerns raised”.
The basic principles upon which the EU-US DPF is based include:
Therefore, the EU Commission with its adoption of an adequacy decision over this new privacy framework, acknowledges the efforts made by the US Government to address those concerns and ensure that data subjects will be able to enjoy the same protection of their personal data when transferred to the US as in the EU.
How does it work?
The Framework will be administered by the US Department of Commerce. As such, any US organisation that wishes to be considered adequate and be subject to unobstructed data transfers from the EU, will have to apply to be certified and monitored in order to prove that it meets the certification’s requirements. Compliance by US companies with their obligations under the EU-US Data Privacy Framework will then be enforced by the US Federal Trade Commission. The U.S. Department of Commerce has already launched the Data Privacy Framework program website, where U.S.-based organizations can submit for self-certification and find information on other participating companies, the background that led to the implementation of the Privacy Framework and more. However, an important remark should be made at this stage. The framework does not grant a blanket approval for transfers across the US, where, in the absence of a federal US Privacy and Data Protection law that is considered adequate under the EU GDPR standards, unless a company is certified under the new framework, any data transfer from the EU to the US will still be considered restricted and other safeguarding mechanisms shall be used (e.g. SCCs, BCRs etc) to allow such transfer. The new framework puts the burden on the separate businesses that may wish to be registered under the new framework and not the US legislators to move forward in regulating this area as in the EU.
Why is this development important?
“The reason this is all so important is that data flows and the transfers of personal data are a key enabler for basically all elements of the transatlantic economic relationship. It's something so fundamental that it really underpins all elements of commerce and trade investment between the United States and Europe," U.S. Department of Commerce DPF Director Alex Greenstein recently said. It is true that while EU is a pioneer in regulating areas in society, it lacks the technology infrastructure so that businesses based in the Union will not need to turn to cross-border solutions (e.g. vendors for cloud processing, AI solutions, etc). The new framework is therefore a relief, especially for big organisations with regular transfers of personal data as it provides some legal certainty and flexibility over an area that has been through a number of changes over the last three years.
What this means for your business?
As the DPF is now effective, it only applies to data transfers from EU/EEA countries to the US. Any organisation based in the EU that aims to transfer personal data to the US will need to undergo the necessary due diligence and ensure that the organisation in the US can be found as certified under the DPF website portal. If an organisation will be initiating a data transfer from the UK and Switzerland, it will need to comply with the UK International Data Transfer Agreement (‘IDTA’) requirements and conduct a Transfer Risk Assessment (‘TRA’), or the UK addendum to the SCCs. It is still uncertain whether the UK or Switzerland will adopt the DPF to permit data transfers to the US from their respective countries without any further requirements.
The new EU-US data privacy framework represents a significant step forward in global data protection. It is poised to create a more secure, transparent, and trustworthy environment for data transfers and international business operations.
In an increasingly interconnected world, safeguarding personal data is paramount. This new framework sets the stage for international agreements that prioritise individual privacy and data security, ensuring that businesses and professionals can thrive in a data-driven global economy.
With that said on the 09 of September the first request for annulment of the adequacy decision on the EU-US Data Privacy Framework was submitted to the European Court of Justice by a French MP. Max Schrems, the Austrian privacy activist who initiated the two earlier challenges, has already announced that he is also willing to challenge the DPF, calling the new framework on the X platform (previously twitter) “a copy” of the Privacy Shield, and that the changes in the US surveillance laws to make this work are simply not enough at this stage.
It is only therefore a matter of time as to whether the decision of the CJEU on these challenges will result to yet another dead end in securing the long-awaited stability in this area of privacy law which is definitely ongoing.
Our law firm can help you navigate through your GDPR compliance journey and assist you in identifying and minimising your operational risks against the requirements of the Regulation and comply with its requirements. Our lawyers are available to assist you.
The content of this article is valid as at the date of its first publication. It is intended to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on your specific matter before acting on any information provided. For further information or advice, please contact Lefteris Eleftheriou, Legal Consultant at Nicosia Office, Tel +357 22447777, or email email@example.com