Finally! A new EU-US Data Transfer Framework

After three years of limbo, personal data can flow from the EU to companies in the United States that participate in the EU-US Data Privacy Framework. Following extensive and time consuming negotiations, a revised EU-US Data Privacy Framework was adopted on 10 July 2023 by the European Commission. Thank goodness! But is this really the final chapter?

European Commission Adequacy Decision

The Commission determined that the EU-US Data Transfer Framework meets the EU ‘adequacy’ requirements, in that companies that adhere to the framework will provide an adequate level of data protection.

The EU’s official announcement states:

The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.”

What changed?

Negotiations seemed to stall for a long time with many thinking that a new data transfer arrangement may not be possible.

However, this changed when President Biden issued an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ on 7 October and a Regulation was issued by the US Attorney General. These instruments  introduced new binding safeguards to address the points raised by Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020.

Together they ensure that data can be accessed by U.S. intelligence agencies only to the extent necessary and proportionate and established an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.

In addition, a new Data Protection Review Court will allow European residents to bring claims against U.S. agencies if they believe their data was not gathered in a “necessary” and “proportionate” way for national security.

What is the EU-US Data Transfer Framework

US companies can self-certify their participation in the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations. These include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.

The Framework also provides EU individuals whose data would be transferred to participating companies in the US with several new rights (e.g. to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data). In addition, it offers different redress avenues in case their data is wrongly handled, including before free of charge independent dispute resolution mechanisms and an arbitration panel.

The Framework will be administered by the FTC as part of the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements.

Some concerns

Some commentators have concerns about the new framework.  Reservations include:

  • It does not cover all transfers to the US – it applies only to transfers of personal data to “US companies participating in the Framework.”
  • It only applies to US companies regulated by the FTC so does not cover data transfers to public sector entities or companies not on the Privacy Shield list (which is expected to be updated).

What next?

The European Data Protection Board will give its Opinion in due course. The UK government will expect to reach a similar agreement with the US.

It is worth noting that although this framework is an improvement on the previous one, as the parties have taken care to respect the decisions of the CJEU from the previous two Schrems cases, it is highly likely to be challenged by Max Schrems. Mr Schrems has already stated that he does not believe that the framework addresses some of the issues identified by the CJEU in the previous two challenges to EU-US data transfer mechanisms.

Some think his challenge is imminent.

According to Max Schrems, the allegedly “new” framework is anything but: “There is little change in US law or the approach taken by the EU and the press statements of today are almost a literal copy of the ones from the past 23 years. The fundamental problem with FISA 702 was not addressed by the US, as the US still takes the view that only US persons are worthy of constitutional rights. To make this work, we would need changes in US surveillance law, and we simply don’t have that.”

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year.”

So, we wait for Schrems III. And in the meantime, Facebook and Google can get back to business…

Further references:

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.