Basically, all business models involving tech are inconceivable without services from American companies. Data transfers to these companies can therefore hardly be avoided. However, many of these data transfers involve personal data, so that European data protection law, in particular the General Data Protection Regulation (GDPR) must be observed. The GDPR stipulates various requirements for data transfers to areas outside the European Economic Area (EEA) - so-called "third countries", such as the U.S. An important basis for data transfers to third countries are so-called “adequacy decisions”: Personal data may be transferred to those third countries for which the EU Commission has decided that the third country in question offers an adequate level of data protection.
Such an adequacy decision existed for the U.S. with the "Privacy Shield" agreement from 2016. However, the European Court of Justice (ECJ) declared this adequacy decision invalid in its "Schrems II" ruling of July 16, 2020. The European Court of Justice concluded that the Privacy Shield allowed for too broad access rights by U.S. intelligence services. It gave undue priority to the requirements of national security, public interest and compliance with U.S. law, which did not limit intrusions to a proportionate level - more than only the mandatory data could be collected. Furthermore, no appropriate legal remedies had been provided to the data subjects in case of unlawful data access by the intelligence services.
After the ruling, companies certified under the Privacy Shield were factually compelled to conclude so-called “standard contractual clauses” as an alternative measure to justify the data transfers. However, relying on the standard contractual clauses proves to be a complex challenge in practice. Because of the effort involved, there has always been a desire for a new edition of the Privacy Shield.
After negotiations with the EU Commission the Biden Administrations promised to reign in the secret surveillance. The Commission, confident that the US assurances will stand a new test by the ECJ, presented a draft new adequacy decision on 14 December 2022, the “Data Privacy Framework” or “DPF”.
The most important points in brief:
Data Importer Obligations:
In order to benefit from the adequacy decision of the EU Commission, U.S. Data importers must submit to and self-certify under the DPF Principles. These correspond to the principles already developed for the Privacy Shield, so that presumably all companies that have already been certified under it could also be certified under the DPF. Businesses can only be certified under DPF if they are subject to regulation by the U.S. Federal Trade Commission or the U.S. Department of Transportation. The certification will only be accepted by the Department of Commerce if the U.S. businesses commit to adhering to seven principles, namely:
- to inform transparently about their data processing (Notice Principle),
- to offer individuals the opportunity to choose (opt out) whether personal information is disclosed to a third party or used for a purpose that is different from the purpose(s) for which it was originally collected (Choice Principle),
- Accept responsibility for onward transfers (Accountability for onward Transfer Principle),
- ensure data security (security principle),
- processing only relevant data (Data Integrity and Purpose Limitation Principle),
- grant data subject rights (Access Principle) and
- enable effective legal protection (Recourse, Enforcement and Liablity Principle).
In addition, there are supplementary principles and special provisions for special types of data, such as from employment relationships, medical research or journalistic activities. The self-certification must be repeated annually.
Intelligence agencies’ obligations:
The two biggest differences between the DPF and its predecessor concern the intelligence agencies’ obligations:
- First, the DPF relies on an Executive Order and not – like Privacy Shield – on a Presidential Policy Directive. Under U.S. law, an Executive Order has likely more force and cannot be secretly repealed.
- Second, in the Executive Order and accompanying regulation, the United States commits itself to ensuring that public authorities act proportionately when accessing personal data from Europe.
In particular, the intelligence agencies should be able to carry out bulk surveillance in exceptional cases only. Furthermore, they should limit their activities to cases mentioned in the Executive Order (e.g. counter-terrorism) while maintaining proportionality.
Furthermore, an independent review procedure is introduced to deal with complaints of EU citizens related to suspected unlawful processing of their data by intelligence agencies . A Civil Liberties Protection Officer of the Director of National Intelligence (ODNI CLPO) and a Data Protection Review Court (DRPC) are to examine data processing by intelligence agencies and remedy abuses on complaints from those affected. The intelligence agencies are obliged to implement the decisions of these bodies. Under the Privacy Shield a Privacy Shield Ombudsperson could issue a report and ask the surveillance authorities to remedy deficiencies, but they were not legally obliged to act according the Ombudsperson’s advice.
Entry into force:
The entry into force of the DPF depends on two factors:
- On the one hand, it must successfully complete the procedure in the European Union. This is expected to be the case in July 2023.
- On the other hand, the U.S. must make good on their “promises” as laid down in the Executive Order and apply it regarding the European Union. This means that
i. U.S. intelligence agencies must actually implement the requirements laid out in the Executive Order and
ii. the US government must still explicitly recognize the European Union as a qualified entity within the meaning of the Executive Order.
- It is currently difficult to say when this will happen – especially since it is not clear from the adequacy decision how the U.S. provides proof for the implementation.
4. The Road ahead:
Once the adequacy decision is in force, it will form the basis for data transfers for the following years. For how long remains to be seen – it is only a matter of time until the matter is brought before the ECJ, who will have to decide on the future of the DPF.