The EU-US Data Privacy Framework (DPF) is seen as a significant development in the fast-moving and often hotly debated space of international data privacy regulation. The framework attempts to establish several essential principles and safeguards and a mechanism for monitoring and enforcement. In this blog post, we will take a closer look at the EU-US DPF, how it works, and its implications for companies doing business in the US and the EU.
What is the EU-US Data Privacy Framework?
The EU-US DPF is an important development in the transatlantic data privacy regulatory space. As a successor of the EU-US Privacy Shield, the EU-US DPF enables the transfer of EU personal data to participating organisations in the US.
This framework has ultimately received support from the European Commission, which adopted its adequacy decision on the 10th July 2023. The decision concluded that the US ensures adequate protection for personal data transferred from the EU if some criteria are fulfilled.
Additionally, the framework establishes an independent and impartial redress mechanism. This mechanism aims to handle and resolve complaints from Europeans regarding the collection of their data for national security purposes.
Addressing concerns about access to data by US intelligence agencies
To address concerns raised in the Schrems II decision of July 2020 by the Court of Justice of the European Union (CJEU) about access to data by US intelligence agencies, the US has also signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (The Order). This is a key element of the US legal framework on which the adequacy decision is based and is provided for by Executive Order 14086, signed by President Biden and accompanied by regulations adopted by the Attorney General.
To address the concerns raised by the CJEU, the Executive Order offers Europeans protection in three key areas.
Firstly, access to data from signals intelligence activities shall be allowed only if deemed necessary and proportionate to protect national security. This ensures that data is not accessed indiscriminately.
Secondly, there is enhanced oversight of activities by US intelligence services, ensuring compliance with surveillance activity limitations.
Thirdly, the framework establishes an independent and impartial redress mechanism, which includes establishing a new Data Protection Review Court that will investigate and resolve complaints regarding access to their data by US national security authorities. This Court shall be established within 60 days of the date of The Order, as authorised and regulated by the Attorney General.
When does it come into force?
The EU-US Data Privacy Framework entered into force on the 10th July, following the adoption of the adequacy decision by the European Commission. This is, of course, just the beginning. The Commission will continuously monitor developments in the US and conduct regular reviews of the adequacy decision. The first review is scheduled for one year after the decision’s entry into force. Subsequent reviews will occur at least every four years, with the Commission deciding on the periodicity in consultation with EU Member States and data protection authorities.
What does the DPF mean for transfer mechanisms already in place?
The safeguards put in place by the US Government around national security apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. It is, therefore, possible to use other transfer tools, such as standard contractual clauses and binding corporate rules. This means that companies can, for now, continue to rely on these mechanisms to transfer data between the EU and the US.
However, if US companies are interested in relying on the EU-US Privacy Framework, they will need to self-certify to the framework by the 10th of October. As officially mentioned on the website of the framework (U.S. Businesses (dataprivacyframework.gov), “If an organization is found to have persistently failed to comply with the DPF Principles, it is no longer entitled to receive personal information pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF”.
Summary
This has sustained as a topic of immense debate, with these recent decisions unlikely to be the final word in the conversation. For now, it provides a pathway for EU companies to continue transferring data while upholding privacy standards and lays the foundation for what may be formalised as the UK-US ‘Data Bridge’.
Organisations must remain up-to-date with developments in this area to maintain a robust compliance position. If you would like to learn more about what professional support on these issues could mean for your organisation, don’t hesitate to get in touch.
