Easier data transfer to the U.S. - EU Commission adopts EU-U.S. Data Privacy Framework

What is it about?

Ac­cor­ding to the Ge­ne­ral Data Pro­tec­tion Re­gu­la­tion (GDPR), the trans­fer of per­so­nal data to third coun­tries out­side the EU is only per­mit­ted if there exists an ade­quate le­vel of data pro­tec­tion. Ar­ti­cle 45(3) of the GDPR grants the EU Com­mis­sion the power to de­cide by me­ans of an im­ple­men­ting act that a non-EU coun­try en­su­res an ade­quate le­vel of pri­vacy pro­tec­tion. An ade­quate le­vel of pro­tec­tion exists in par­ti­cu­lar if the data es­sen­ti­ally cor­re­sponds to the le­vel of pro­tec­tion wi­thin the EU. The ef­fect of ade­quacy de­ci­si­ons is that per­so­nal data can flow fre­ely from the EU (and Nor­way, Liech­ten­stein and Ice­land) to the re­spec­tive third coun­try wi­thout fur­ther obst­acles.

© unsplash

Since the Snow­den reve­la­ti­ons, the trans­fer of per­so­nal data to the USA has re­gu­larly been the sub­ject of ju­di­cial re­view by the ECJ. The ECJ most re­cently de­cla­red the pre­vious EU-U.S. Pri­vacy Shield to be in bre­ach of the GDPR in its judg­ment of July 16, 2020 (Case C-311/18, Fa­ce­book Ire­land v. Schrems II), thus es­ta­blis­hing its in­va­li­dity. In par­ti­cu­lar, the ECJ cri­ti­ci­zed that against the back­ground of the ac­cess pos­si­bi­li­ties by the U.S. se­cu­rity aut­ho­ri­ties, the data pro­tec­tion re­qui­re­ments are not met and the le­gal pro­tec­tion for data sub­jects is in­suf­fi­ci­ent. Since data ex­change bet­ween the EU and the U.S. is es­sen­tial in eco­no­mic tran­sac­tions, the EU Com­mis­sion and the U.S. go­vern­ment im­me­dia­tely be­gan talks on a new frame­work and laun­ched the EU-U.S. Data Pri­vacy Frame­work

New EU-U.S. Data Privacy Framework

Ba­sed on the new EU-U.S. Data Pri­vacy Frame­work, per­so­nal data can now be trans­fer­red se­cu­rely from the EU to U.S. com­pa­nies par­ti­ci­pa­ting in the Pri­vacy Frame­work wi­thout the need for ad­di­tio­nal data pro­tec­tion safe­guards.

This is ac­com­plis­hed be­cause the EU-U.S. Data Pri­vacy Frame­work in­tro­du­ces new bin­ding safe­guards to ad­dress con­cerns rai­sed by the ECJ. The new frame­work in­tro­du­ces si­gni­fi­cant im­pro­ve­ments over the pre­vious me­cha­nism in place un­der the Pri­vacy Shield. It pro­vi­des that ac­cess by U.S. in­tel­li­gence agen­cies to EU data will be li­mited to a ne­cessary and pro­por­tio­nate le­vel. It also es­ta­blis­hes a Data Pro­tec­tion Re­view Court, or DPRC, to which in­di­vi­du­als in the EU will have ac­cess. If the DPRC finds that data has been col­lec­ted in bre­ach of the new safe­guards, it can or­der the U.S. aut­ho­ri­ties to de­lete the data. The new go­vern­ment data ac­cess safe­guards are in­ten­ded to com­ple­ment the ob­li­ga­ti­ons to which U.S. com­pa­nies are sub­ject when im­por­ting data from the EU.

Obligations for U.S. companies

In or­der for U.S. com­pa­nies to be­ne­fit from the EU-U.S. Data Pri­vacy Frame­work, they must cer­tify ac­cor­din­gly with the U.S. De­part­ment of Com­merce. In doing so, they agree to com­ply with a num­ber of de­tai­led data pro­tec­tion ob­li­ga­ti­ons. These in­clude, for ex­am­ple, the re­qui­re­ment to de­lete per­so­nal data when it is no lon­ger ne­cessary for the pur­pose for which it was col­lec­ted and to en­sure con­ti­nuity of pro­tec­tion when per­so­nal data is sha­red with third par­ties. The new no ad­di­tio­nal mea­su­res rule only ap­plies if the U.S. com­pany to which the data is trans­fer­red is cer­ti­fied un­der the EU-U.S. Data Pri­vacy Frame­work. EU-ba­sed com­pa­nies must ve­rify this in ad­vance. A cor­re­spon­ding list of cer­ti­fied or­ga­niza­ti­ons will soon be publis­hed by the U. S. De­part­ment of Com­merce on a new web­site.

Rights for EU citizens

EU ci­ti­zens have se­veral le­gal re­me­dies avail­able in case their data is in­cor­rectly pro­ces­sed by U.S. com­pa­nies. These in­clude free in­de­pen­dent dis­pute re­so­lu­tion me­cha­nisms and a me­dia­tion ser­vice. They will be gran­ted ac­cess to an in­de­pen­dent and im­par­tial re­dress me­cha­nism re­gar­ding the col­lec­tion and use of their data by U.S. in­tel­li­gence agen­cies. For this the newly crea­ted Data Pro­tec­tion Re­view Court (DPRC) is re­spon­si­ble.

In ad­di­tion, the U.S. re­gu­latory frame­work pro­vi­des a num­ber of safe­guards for ac­cess to data trans­fer­red un­der the frame­work by U.S. agen­cies. These pro­tec­tions re­late spe­ci­fi­cally to law en­force­ment and na­tio­nal se­cu­rity pur­po­ses.

Easier transatlantic data flow

The safe­guards put in place by the U.S. will also fa­ci­li­tate trans­at­lan­tic data flows in ge­ne­ral. They will also ap­ply when data is trans­fer­red using other tools such as stan­dard con­trac­tual clau­ses and bin­ding cor­po­rate ru­les.

Regular evaluations

The func­tio­ning of the EU-U.S. Data Pri­vacy Frame­work will be sub­ject to pe­rio­dic re­views con­duc­ted by the EU Com­mis­sion to­ge­ther with re­pre­sen­ta­ti­ves of Eu­ro­pean data pro­tec­tion aut­ho­ri­ties and com­pe­tent U.S. aut­ho­ri­ties. The first eva­lua­tion will take place wi­thin one year of the Frame­work's entry into force to ve­rify that all re­le­vant ele­ments have been fully im­ple­men­ted in the U.S. le­gal frame­work and are func­tio­ning ef­fec­tively in prac­tice.

All is’s well that ends well?

Of course, the ade­quacy de­ci­sion and the Pri­vacy Frame­work are not wi­thout con­tro­versy among data pro­tec­tio­nists. Al­re­ady in the run-up, both the EU Par­lia­ment and the Eu­ro­pean Data Pro­tec­tion Board - the as­so­cia­tion of Eu­ro­pean data pro­tec­tion su­per­vi­sory aut­ho­ri­ties - had ex­pres­sed doubts about the new mea­su­res. In par­ti­cu­lar, the fo­cus is on the ef­fec­tiv­en­ess of the newly an­noun­ced pro­tec­tive mea­su­res for EU data sub­jects.

The "trig­ger" of the ECJ's Schrems ru­ling, Max Schrems, also an­noun­ced with his or­ga­niza­tion noyb that he will chal­lenge data trans­fers ba­sed on the Pri­vacy Frame­work in court and thus achieve a re­ne­wed re­view by the ECJ. In this con­text, noyb as­su­mes that the pro­por­tio­na­lity of the mea­su­res ta­ken, as de­ter­mi­ned by the EU Com­mis­sion, does not suf­fi­ci­ently take into ac­count the re­qui­re­ments of the ECJ, even in its cur­rent form, as the chan­ges to the in­tel­li­gence laws in the USA are only in­suf­fi­ci­ent.

Only the ECJ and the EU Commission can overturn the adequacy decision

Howe­ver, it is a long way th­rough the in­stan­ces be­fore the ECJ re­aches a de­ci­sion on the in­va­li­dity of the EU-U.S. Data Pri­vacy Frame­work. In this re­spect, the su­per­vi­sory aut­ho­ri­ties are also bound by the de­ci­sion is­sued by the Com­mis­sion. Un­less the EU Com­mis­sion wi­th­draws the ade­quacy de­ci­sion as part of the re­gu­lar eva­lua­tion, it will re­main in force un­til a tem­porary sus­pen­sion or fi­nal de­ci­sion by the ECJ and is thus a per­mis­si­ble le­gal ba­sis for the trans­fer of per­so­nal data to cer­ti­fied U.S. com­pa­nies.