EU-US Data Privacy Framework: third time's a charm?
SÉRVULO PUBLICATIONS 20 Jul 2023
On 10 July 2023, the European Commission adopted an adequacy decision concerning the EU-US Data Privacy Framework (the «Data Privacy Framework»). Despite concerns expressed by the European Data Protection Board[1] and the European Parliament[2] regarding the draft adequacy decision, the final text was adopted with favorable votes from 24 Member States and 3 abstentions.
According to the General Data Protection Regulation (GDPR), an adequacy decision allows the transfer of personal data from the European Union (EU) to third countries, being adopted by the Commission when it considers that the country to which the data will be transferred ensures a level of personal data protection that is essentially equivalent to that guaranteed within the EU.[3]
To ensure the lawfulness of personal data transfers from the EU to the United States of America (US), the importing entities located in the USA that wish to benefit from the new decision must adhere to the Privacy Framework and comply with the obligations set forth therein.
The recently adopted decision is the third similar decision concerning the transfer of personal data from the EU to the US. The two previous decisions, namely the «Safe Harbor» Decision (Decision 2000/520/EC, of 26 July 2000) and the «Privacy Shield» Decision (Implementing Decision (EU) 2016/1250, of 12 July 2016), both adopted under Directive 95/46/EC[4], were declared invalid by the Court of Justice of the European Union (CJEU) in the judgments known as Schrems I (2015) and Schrems II (2020)[5].
Since the annulment of the «Privacy Shield» decision in 2020, the most accessible instrument to ensure the lawfulness of the data transfers from the EU to the US has been the «standard contractual clauses» approved by the European Commission, which aim to ensure appropriate data protection safeguards for international transfers.[6]
Commitments by the US and obligations imposed by the EU
The new decision comes nine months after US President Joe Biden signed Executive Order 14086 («EO 14086»), which envisages new privacy and data protection safeguards to be adopted by the US in response to concerns raised by the CJEU in the Schrems II judgment.
Among the commitments made in EO 14086 and integrated into the Data Privacy Framework are the establishment of guarantees limiting access to personal data by US intelligence services to what is necessary and proportionate to ensure national security and the creation of the Data Protection Review Tribunal («DPRC»), an independent and impartial body with the authority to investigate and resolve complaints from EU citizens regarding the collection and use of personal data by US intelligence services and to adopt binding corrective measures.
Furthermore, the decision introduces a set of obligations to be fulfilled by US businesses and organizations importing personal data of EU citizens, including the obligation to delete data when it is no longer necessary for the purpose for which it was collected and to ensure the continued protection when data is shared with third parties.
The Data Privacy Framework will be subject to periodic reviews by the European Commission, in conjunction with European data protection authorities and US authorities. The first review will take place one year after the decision comes into effect.
Schrems III?
For Max Schrems, an Austrian privacy activist whose complaints against Facebook led to both Schrems judgments, the new adequacy decision does not introduce substantial changes to the US Foreign Intelligence Surveillance Act («FISA») and is a copy of the «Safe Harbor» and «Privacy Shield» decisions. According to Schrems, without a review of that law, the new adequacy decision will not ensure an adequate level of data protection for European citizens.
The non-governmental organization «NOYB – European Centre for Digital Rights», founded by Schrems in 2017, has already announced on its website that it intends to bring the new decision before the CJEU by the beginning of next year.[7]
[3] Article 45 (1) and (3) of the GDPR.
[4] Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealed by GDPR.
[5] Judgment of 6 October 2015, Maximillian Schrems c. Data Protection Commissioner, C-362/14, available here; and Judgment of 16 July 2020, Data Protection Commissioner c. Facebook Ireland Ltd e Maximillian Schrems, C-311/18, available here.
[6] Article 46 (2) (c) of the GDPR.