EU-US data transfers - the European Commission issues a new Data Privacy Framework

The European Commission has just published the Data Privacy Framework (DPF) to facilitate the transfer of personal data from the EU to the US. The Data Privacy Framework is set to replace the Privacy Shield after its cancellation by the CJEU three years ago. With this new adequacy decision, the Commission acknowledges that the data protection rules implemented in the US provide an equivalent level of protection to the GDPR.


On July 10th, 2023, the European Commission adopted a new adequacy decision entitled Data Privacy Framework (DPF) to facilitate the transfer of personal data from the European Union to the United States. (1)

The purpose of this new program is to replace the previous data transfer system, i.e. the Privacy Shield cancelled in 2020, which had replaced the Safe Harbor program cancelled in 2015. (2) With the cancellation of the Privacy Shield, legal entities on both sides of the Atlantic found themselves in a delicate situation: the only possibility to transfer personal data legally between the EU and the US was pursuant to standard contractual clauses - SCCs (and after conducting a transfer impact assessment, or TIA), or for multinational companies, subject to implementing binding corporate rules (BCRs).

Given the importance of commercial relations between the EU and the US, it was necessary to develop a new program to facilitate data transfers.

With this new adequacy decision, the Commission acknowledges that the data protection rules implemented in the US provide an equivalent (or “adequate”) level of protection to the GDPR.


1. Why did we need a new adequacy decision?

The Data Privacy Framework is the third attempt by the US Government and the European Commission to roll out an adequacy procedure to facilitate personal data transfers between Europe and the United States. (3)

After the cancellation of the two previous adequacy decisions by the Court of Justice of the European Union, i.e. Safe Harbor in 2015 (aka “Schrems I decision”) and Privacy Shield in 2020 (“Schrems II decision”) for non-compliance to the 95/46 Data Privacy Directive, it became necessary to develop a new system to allow data transfers between the EU and the United States.

The new Data Privacy Framework has been subject to intense negotiations for several months between the US Government and the European Commission, the main differences between the DPF and the Privacy Shield being to remedy the non compliance issues identified by the CJEU in its 2020 decision.

To be able to come to an agreement with the EU Commission on the DPF, President Joe Biden signed an Executive Order on October 7th, 2022 strengthening the rules governing the activities of the US intelligence services. A regulation published by the Attorney General, creating the Data Protection Review Court (DPRC) supplements this Executive Order. (4)


2. The main provisions of the DPF

    a) The data protection principles found in the DPF

The DPF is based on the GDPR and therefore includes similar data protection principles such as:
   - The legal, loyal and transparent nature of the data processing, including consent and information of the data subject on the way his data is processed and how he can exercise his rights of access, correction, opposition and deletion;
   - Data collection for a particular purpose;
   - Data security, against data loss, misuse of data, unauthorized access and disclosure, data modification and destruction;
   - Data integrity and the accountability principle of the data controller;
   - Data conservation limited to the time necessary for data processing.

These protection principles remain applicable when data is further transferred to a third party (e.g. from the US data processor to a second level data processor).

    b) The main differences from the previous programs

- The issue of access to personal data under mass surveillance operations
The main criticism of the Privacy Shield was the possibility for US law enforcement and intelligence agencies (FBI, CIA, NSA, DHS) to access the personal data of European citizens for mass surveillance and investigation purposes.

The purpose of the Executive Order of October 7th, 2022 (EO 14086) is to specify the conditions under which US intelligence agencies may access and process personal data of European residents. Access to the data must be “necessary” and “proportionate” pursuant to the protection of national security. The people involved in intelligence activities will have to apply these necessity and proportionality principles before launching an intelligence operation. These conditions are included in the Data Privacy Framework.

- The absence of effective legal remedies against data processing by the US intelligence agencies
The second cause of cancellation of the Privacy Shield was the absence of an effective system of legal remedies for European data subjects in the US against data transfers or access to their personal data, especially in case of unjustified access to the data by the US intelligence agencies.

The Data Privacy Framework includes a two step legal recourse:
    1. Data subjects may file a claim with their supervisory authority (e.g. CNIL in France). The claim will be transferred to the United States through the European Data Protection Board (EDPB). It will then be examined by the Civil Liberties Protection Officer in charge of ensuring compliance of privacy and fundamental rights by the US intelligence agencies.
    2. The decisions of the Civil Liberties Protection Officer may be appealed before the Data Protection Review Court (DPRC). The purpose of the DPRC is to analyze and solve claims of European residents. The DPRC may decide that data which was unduly processed in violation of the new protection criteria must be deleted. The DPRC decisions are final.

- Application of protection rules to the other data transfer systems
The protection rules implemented by the United States will also apply to the other personal data transfer systems, i.e. transfers under standard contractual clauses (SCCs) or under binding corporate rules (BCRs).

    c) Application of the DPF to American corporations

Unlike the GDPR which applies to all the entities located in the European Union that process personal data (including entities outside the EU that process European residents data according to article 3 of the GDPR), the DPF like the previous programs is applicable as follows:
    1) Companies located in the United States, which decide to implement the DPF through a self certification system. These companies will be identified once their registration has been confirmed on the DPF list set up by the US Department of Commerce (DoC). DPF certification will be renewed annually.
    2) Certain lines of business are not covered by the DPF, such as banking and insurance.

Personal data transfers to US companies that are not registered on the DPF list remain subject to the signature of standard contractual clauses, or to BCRs for multinational companies. According to CNIL, “the guarantees provided by the US Government in the area of national security (including the claim mechanism) apply to all data transfers by public and private entities governed by GDPR to companies located in the United States. They are therefore applicable regardless of the transfer tool used (for exemple standard contractual clauses or binding corporate rules).”

Further data transfers by US companies are also covered by the DPF. Such transfers cannot be processed, unless:
processed pursuant to a particular purpose,
subject to the signature of a transfer agreement (or BCRs) between the US company and the recipient providing that the recipient applies the same level of protection as the DPF,
subject to the recipient acting only pursuant to the instructions of the US company.


3. Next steps

The Data Privacy Framework became effective on July 10th, 2023. It is not retroactive and therefore doesn’t apply to data transfers that occurred prior to that date.

    a) Registration on the DPF list

Implementation of the DPF in the US is managed by the Department of Commerce. (5)

US companies which were registered under the Privacy Shield and which want to benefit from the DPF must become compliant within 3 months, i.e. before October 10th, 2023. Other companies that want to benefit from the DPF can get compliant and will be registered on the DPF list as soon as they are confirmed.

Companies that don’t renew their DPF certification or that don’t comply with the DPF will be unlisted. Personal data will have to be either returned or deleted.

The DoC is also in charge of conducting ad hoc compliance checks on companies that are registered on the DPF list.

    b) Annual review of the Data Privacy Framework

The DPF will be subject to annual reviews by the Commission, the EDPB and the US authorities to ensure that it is duly applied. The first review is scheduled in July 2024.

The DPF may be upheld, amended, or even canceled should the EU authorities consider that the level of data protection is no longer met under that program.

    The Data Privacy Framework is already subject to criticisms, some even predicting its cancellation, like the previous two programs. According to Max Schrems, the Austrian activist who filed the previous two cancellation claims, the DPF doesn’t provide a better level of protection than its two predecessors, due to the fact that the new Data Protection Review Court is not independent and that its decisions are final. He further declared that his association - NYOB - would file a claim against this new adequacy decision before the European court.
 
The main difficulty is due to the different approach to privacy in Europe and in the US. There is still no federal law on data protection in the United States. Only 13 out of 50 states have a data privacy law. Apart from three states (California, Virginia and Colorado) that adopted global data protection laws the other states adopted sectorial laws (e.g. banking data protection, health data, consumer protection, etc.). (6) And the purpose, the scope and conditions of application of these laws differ from state to state…

Then, the interpretation criteria of “necessary” and “proportionate” processing as applied by the DPRC will probably differ from the interpretation criteria used by the CJEU.

However, given the importance of the economic issue at stake, let’s hope that this new adequacy decision lasts and provides a stable framework for data transfers between Europe and the United States.

(1) Commission Implementing Decision of 10.7.23 pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework

(2) Safe Harbor cancellation decision : CJEU 6 October 2015, Case C-362/14 (“Schrems I”); Privacy Shield cancellation decision : CJEU16 July 2020, Case C-311/18 (“Schrems II”)

(3) GDPR and the new Data Privacy Framework are applicable in the European Union and the European Economic Area (EEA) i.e. Iceland, Liechtenstein and Norway

(4) Executive order 14086 of October 7, 2022 on Enhancing Safeguards for United States Signals Intelligence Activities (“EO 14086”)

(5) See Data Privacy Framework of the Department of Commerce

(6) Additional states have recently adopted global data protection laws, i.e. Utah and Connecticut

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

July 2023