On 10 July the European Commission issued its long-awaited GDPR adequacy decision for the EU-US Data Privacy Framework (DPF). Personal data can now be transferred from the EU to US companies participating in the framework, without having to put in place additional data protection safeguards or risking GDPR enforcement action. Just two months ago the owner of Facebook, Meta Ireland, was the subject of the largest ever GDPR fine of €1.2bn (£1bn) when Ireland’s Data Protection Commission ruled that Facebook’s US data transfers were not GDPR-compliant. The new adequacy decision concludes that the US ensures an adequate level of protection, comparable to that of the EU, for personal data transferred from the EU to US companies under the new framework.

Ibrahim Hasan

Ibrahim Hasan

The background to the DPF is a famous case brought by privacy campaigner Max Schrems in July 2020. The European Court of Justice (ECJ) in Schrems II ruled that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool as it failed to protect the rights of EU data subjects when their data was accessed by US public authorities. In particular, the ECJ found that US surveillance programs are not limited to what is strictly necessary and proportionate as required by EU law, and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights.

Second, with regard to US surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the US, as required by Article 47 of the EU charter. However, the ECJ stated that organisations transferring personal data to the US can still use the Article 49 GDPR derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the US or other countries, the ECJ placed the onus on the data exporter to make a complex assessment about the recipient country’s data protection legislation (a Transfer Impact Assessment), and to put in place ‘additional measures’ to those included in the SCCs.  

Since the Schrems ruling, replacing the privacy shield has been a priority for EU and US officials. President Biden signed an executive order in October, paving the way for the European Commission to publish a draft ‘adequacy decision’ in December.

The DPF introduces new binding safeguards to address all the concerns raised by the ECJ in Schrems. This includes limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The DPF also introduces significant improvements compared to the mechanism that existed under the privacy shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. EU individuals will also benefit from several redress avenues in case their data is wrongly handled by US companies. These include free-of-charge independent dispute resolution mechanisms and an arbitration panel.

Just like the old privacy shield, US companies can self-certify their participation in the DPF by committing to comply with a detailed set of privacy obligations. These include privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties. The DPF will be administered by the US Department of Commerce and enforced by the US Federal Trade Commission. Many US companies remain self-certified to privacy shield standards. Consequently, it is not going to be a difficult task for them to transition to the DPF. As far as EU organisations go, all they need to do now, before making a transfer of personal data to the US, is check that the organisation receiving their data is certified under the DPF.

Max Schrems though, is not impressed. He has said there is little change in US law or the approach taken by the EU since his last legal challenge. From his public statements, it seems ‘Schrems III’ is very likely: ‘We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it.’

It is important to note that the DPF adoption does not automatically grant adequacy status to the US for data transfers from the UK. The UK now has its own data protection regime in the form of the UK GDPR. The government is working on its own adequacy finding for the US having announced in June that both countries have committed in principle to establishing a ‘data bridge’. By considering the safeguards and mechanisms put in place by the DPF, the UK may well adopt a similar framework or recognise the adequacy decision made by the European Commission. Until such a decision is made, UK businesses must continue to rely on other transfer mechanisms, such as standard contractual clauses, binding corporate rules or explicit consent to transfer personal data to the US.

It is important to note that the implementation of the DPF does not automatically grant the US adequate status for data transfers from the UK. The UK now has its own data protection regime in the form of the UK GDPR. The government is working on its own adequacy determination for the US after both countries agreed in June to establishing a ‘data bridge’. Taking into account the DPF’s protections and controls, the UK may well implement a comparable framework or recognise the European Commission’s adequacy determination.

 

Ibrahim Hasan is a lawyer and director of Act Now Training Limited