EU-U.S. Data Privacy Framework – how long will it last?

What does this mean and are legal challenges expected?

The European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). The EC confirmed the DPF gives protection to personal data transferred which is comparable to that provided within the EU.

The new framework enters into force immediately, as of 11th July 2023. This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S.

It works in a similar way to the previous Privacy Shield, and will only apply where US organisations certify compliance with the DPF’s principles.

It’s proposed the UK-US ‘Data Bridge’ will shortly piggyback off this EU-US agreement.

U.S. says commitments have been met

For the EC to grant this adequacy decision, it’s taken significant changes to U.S. intelligence gathering activities. The EC’s decision was made a few days after the U.S. announced it had completed the key commitments under President Biden’s executive order regarding the DPF. A press release published by the European Commission confirmed:

“The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court.”

Robert Bond, Senior Counsel at Privacy Partnerships and Chair of the DPN Advisory Group commented:

“The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they apply when data is transferred by using other tools, such as SCCs and BCRs and as the DPF is an adequacy decision by the EU in respect of the data privacy regime in the US, this may simplify the EU transfer impact assessment requirements.”

Self-certification

Crucially, US based data importers must certify their compliance with the DPF principles. These are an updated version of the previous Privacy Shield principles. Organisations which were certified under the Privacy Shield are likely to be in a good position to self-certify under the DPF.

To join the DPF, an eligible organisation must develop a privacy policy which conforms to expected standards, identify an independent recourse mechanism and self-certify through the U.S. Department of Commerce’s DPF website.

EU-based data exporters will be able to check a list on the DPF website to see if a US organisation is certified or not.

Legal challenge is on its way

Both of the past EU-U.S. data transfer frameworks, Safe Harbor and Privacy Shield, were ruled invalid by the Court of Justice of the European Union (CJEU). Concerns are therefore likely to remain about the longevity of the DPF.

noyb, headed up by the infamous Austrian Max Schrems, has already stated it’s view the ‘New Trans-Atlantic Data Privacy Framework is largely a copy of Privacy Shield’ and confirmed it plans to challenge the EC’s decision. So watch this space!