Key Point: The European Commission has adopted an adequacy decision for the EU-U.S. Data Privacy Framework, which allows certain businesses to transfer data from the EU to the U.S. without the need for additional transfer mechanisms.
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“Privacy Framework”). This decision declared that United States companies that self-certify under the Privacy Framework will be deemed to provide an adequate level of data protection, which removes the requirement for those companies to implement additional safeguards when transferring data from the EU to the U.S. These safeguard requirements have been standard for decades but have been most recently required under the General Data Protection Regulation (“GDPR”).
One of the key compliance concerns under GDPR has been an organization’s inability to transfer data to a country outside of the EU unless the receiving country ensures an adequate level of data protection, or some other transfer mechanism is in place such as standard contractual clauses. In some limited cases, the European Commission has determined that a country’s laws provide an adequate level of protection, essentially allowing the free flow of data from the EU to that country.
In July 2020, the European Court of Justice determined that a framework for the transfer of personal data between the EU and U.S. by certain companies – i.e., Privacy Shield – was invalid. This led to European and U.S. authorities negotiating the Privacy Framework.
The below article first provides a brief overview of the history of EU/U.S. efforts to establish a viable cross-border data transfer framework. It then provides a brief overview of the new Privacy Framework and expected legal challenges to it.
Past Efforts Informing Current Efforts
Below is a simplified history of past efforts that have led to yet another adequacy decision between the EU and U.S.:
- 1995: The EU passes its first data protection legislation, EU Privacy Directive, creating the cross-border transfer limitations.
- 2000: The EU and U.S. establish the EU-U.S. Safe Harbor Framework (“Safe Harbor”) as an alternative means of cross-border transfer adequacy under the EU Privacy Directive. Safe Harbor is administered by the U.S. Department of Commerce, allowing U.S. companies to self-certify compliance with the Safe Harbor program.
- 2013: Max Schrems files a complaint with the Irish Data Protection Commissioner (“DPC”) against Facebook, arguing that Facebook’s transfer of personal data from the EU to the U.S. under Safe Harbor violates the privacy rights of European users, but the DPC rejects the complaint, prompting Schrems to appeal to the European Court of Justice (ECJ).
- Oct. 6, 2015: ECJ invalidates Safe Harbor with immediate effect, finding, among other things, that the mass surveillance programs conducted by U.S. intelligence agencies, such as the National Security Agency (“NSA”), undermined the privacy rights of EU citizens (“Schrems I ECJ Ruling”).
- April 14, 2016: the EU passes the General Data Protection Regulation (GDPR), starting a 2-year clock for implementation. GDPR contains cross-border transfer limitations very similar to the Privacy Directive.
- July 12, 2016: The EU and the U.S. establish the EU-U.S. Privacy Shield as a replacement to Safe Harbor. It is a framework like Safe Harbor, also administered by the U.S. Department of Commerce.
- August 16, 2016: Max Schrems challenges Privacy Shield at the DPC, arguing that it failed to adequately protect EU citizens’ data and raising concerns like those that caused the invalidation of Safe Harbor. The case is eventually appealed to the ECJ.
- May 25, 2018: GDPR becomes enforceable.
- July 16, 2020: The ECJ invalidates Privacy Shield with immediate effect, citing similar concerns about U.S. surveillance practices and the lack of effective remedies for EU citizens whose data is transferred to the U.S. The use of SCCs for data transfers is upheld but ECJ emphasizes that use of SCCs required assessing the level of protection provided in the recipient country (“Schrems II ECJ Ruling”).
The Schrems II EJC Ruling had far-reaching consequences for organizations transferring personal data from the EU to third countries, including the U.S. Among other things, it requires businesses to conduct case-by-case assessments of the data protection standards in recipient countries. Overall, the ruling has led to increased scrutiny of international data transfers across the board and has spurred the need for enhanced safeguards.
Obligations for U.S. Companies
To join the Privacy Framework, U.S. companies must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the U.S. Department of Transportation (DoT), or other statutory body that can ensure compliance with the Privacy Framework. Further, U.S. companies must commit to comply with a set of specific privacy principles, including, but not limited to:
- Provide notification of Privacy Framework certification to data subjects;
- Provide choice and opt-out mechanisms to data subjects;
- Enter contracts with third-parties to ensure data protection;
- Implement and maintain reasonable and appropriate measures to protect data;
- Exercise purpose limitation in collection and processing activities;
- Allow data subject access for correction, deletion, or the exercise of other available rights;
- Implement effective mechanisms to ensure compliance with Privacy Framework.
Success of Privacy Framework
Given the history of transfer mechanisms between the EU and U.S., it is unclear if the Privacy Framework will sufficiently address concerns that have overturned Safe Harbor and Privacy Shield. Indeed, Max Schrems’ organization, NOYB, already has stated its intent to challenge the new framework, claiming that it is “largely a copy of the failed ‘Privacy Shield.’”
Of primary concern to EU citizens has long been ensuring EU data is protected from surveillance by the U.S. government. As noted, this concern has stunted previous attempts to implement similar safeguards. However, the Privacy Framework limits access by U.S. intelligence to what is necessary and proportionate and, among other redress options, establishes a Data Protection Review Court that EU citizens will have access to. The Privacy Framework will also be subject to periodic reviews to be carried out by the European Commission, representatives of other data protection authorities, as well as U.S. authorities.
It remains to be seen whether these standards, coupled with heightened obligations for U.S. companies, will ensure the success of the Privacy Framework and the free flow of data between the EU and U.S. businesses.