The EU-U.S. Data Privacy Framework

The legal admissibility of data transfers in the United States

The new EU-U.S. Data Privacy Framework has been adopted by the European Commission on July 10th 2023. The framework ensures a legal basis for transfer of personal data to US companies, if these companies have joined the EU-U.S. Data Privacy Framework.

1. Abstract

The Schrems II decision of the European Court of Justice (ECJ) caused the repeal of the Privacy Shield in 2021. The consequence of this was significant uncertainty regarding the transfer of personal data to the U.S. On 10 July 2023, the EU Commission approved the successor, the EU-U.S. Data Privacy Framework.
As with the previous model, US companies need to join the EU-U.S. Data Protection Framework to legitimize data exports from the EU to the US; however, this joining does not replace the agreement of data protection contracts between companies within the EU and US companies.
Furthermore, with the EU-U.S. Data Privacy Framework, there is again a legal basis for exporting personal data to the US without extended security measures, such as EU servers or Bring Your Own Key. But only if the US companies join the EU-U.S. Data Privacy Framework.

2. Data protection legal background

Article 45 (3) of the General Data Protection Regulation (GDPR) empowers the EU Commission to decide, using an implementing act, that a non-EU country ensures essentially an “adequate level of protection” concerning personal data. Adequacy decision means that personal data from the EU (plus Norway, Liechtenstein, and Iceland) can flow safely to a third country without further barriers. Examples are the UK, Japan, South Korea, and Switzerland.

3. Development since the Privacy Shield

The ECJ annulled the previous adequacy decision of the EU-U.S. Privacy Shield. After that, the EU Commission and the US government entered into negotiations about a new framework that deals with the issues the court has raised.
In March 2022, EU President von der Leyen and U.S. President Biden announced that they had agreed in principle on a new transatlantic framework for data traffic, following negotiations between EU Commissioner Reynders and US Secretary Raimondo. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Moreover, US Attorney General Garland supplemented the executive order with regulations. These two instruments implemented US commitments under the basic agreement into US law. In addition, they complement US companies’ obligations under the EU-U.S. Data Protection Framework. One key element of the US legal framework enshrining these safeguards is the US executive order “Enhancing Safeguards for United States Signals Intelligence Activities,” which addresses the concerns raised by the ECJ in its Schrems II decision of July 2020. The ECJ enacted these instruments to clarify the pending issues by the Schrems II judgment.
In the case that the personal data of Europeans flows to the US, the executive order provides for the following:
  • Binding guarantees that limit access to data by US intelligence agencies to what is necessary and proportionate for the protection of national security;
  • Increased supervision of the activities of US intelligence agencies to ensure compliance with restrictions on surveillance activities; and
  • The establishment of an independent and impartial mechanism of redress, including a new data protection review tribunal, that investigates and decides on complaints about access to their data by the US national security authorities.

4. New since 10 July 2023: Adequacy decision for certified US companies

The EU Commission adopted its adequacy decision for the EU-U.S. Data Protection Framework on 10 July 2023. The adequacy decision concludes that the US ensures an adequate level of protection compared to the EU for personal data transferred from the EU to US companies participating in the EU-U.S. Data Protection Framework.
US companies can join the EU-U.S. Data Protection Framework by agreeing to comply with some detailed data protection obligations, such as the obligation to delete personal data when it is no more necessary for the purpose for which they were collected and to ensure continuity of protection if personal data are transferred to third parties.
Generally, data protection principles such as purpose limitation, data minimization, and data storage, as well as specific obligations regarding data security and data transfer by third parties, are guaranteed. In addition, the US legal framework provides some safeguards for access to data transferred by US authorities based on the legal framework, particularly for prosecution and national security purposes. Access to the data is limited to what is necessary and proportionate to protect national security.
Moreover, now EU citizens can benefit from several redress avenues in case their data is not used in a legally compliant way by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel. Individuals in the EU have access to an independent and impartial redress process regarding the collection and use of their data by US intelligence agencies, including a newly created Data Protection Review Court (DPRC). The court will independently investigate and resolve complaints, including through the acceptance of binding remedies.
Individuals can lodge an admissible complaint without proving that their data has been collected by US intelligence agencies. In addition, everyone can complain to their national data protection authority, ensuring that the complaint is duly transmitted and that the citizen receives all further information about the procedure, including the outcome. It ensures that people can contact an authority in their area and in their language. The complaints are forwarded from the European Data Protection Board (EDPB) to the US.
Safeguards established by the US will also make transatlantic data traffic easier in general because they also apply to the transfer of data using other instruments, such as standard contractual clauses and binding corporate rules.

5. Evaluation and recommendation

Based on the available information, it is likely that corporations and large companies with a focus on the European market will join the EU-U.S. Data Protection Framework. However, lawsuits are already in preparation because the Schrems II movement considers that, as before, EU citizens are not sufficiently protected.
Existing data protection agreements with standard contractual clauses are still valid. However, the new conclusion of standard contractual clauses is no longer required if the US company has already declared its accession to the EU-U.S. Data Protection Framework. You can review on https://www.dataprivacyframework.gov/s/participant-search whether the concerning US company has registered to the EU-U.S. Data Privacy Framework. Additional security measures taken so far (e.g., hosting on EU servers) are still advisable. Thus, if the data importer is a party to the Data Protection Framework, it is possible to apply double safeguards. In case the EU-U.S. Data Protection Framework passes the ECJ despite lawsuits, there is a long-term legal basis for data transfers to the US that also allows long-term investments in using US service providers without particular data protection risk.