On the 10th of July 2023, the European Commission adopted its adequacy decision under the EU-US Data Privacy Framework (“DPF”) – a recognition that the United States ensures an “essentially equivalent” standard of protection of personal data to under the GDPR. Following the "UK Extension to the EU-US Data Privacy Framework" (“UK Extension”), as outlined in Article 45 of the UK General Data Protection Regulation (“GDPR”) as established on the 12th October 2023, UK businesses gained the ability to transfer personal data to US organisations certified under the DPF.
Currently, the United States does not have a federal data privacy legislation in place. The American Data Privacy and Protection Act (“ADPPA”) – the US’ first federal data privacy law is slowly making its way through US Congress. This has developed a more sectoral and state approach to data privacy compliance where certain sectors are covered by specific acts such as the Health Insurance Portability and Accountability Act (“HIPAA”) for the protection of health data, the Children’s Online Privacy Protection Act (“COPPA”) for the protection of children’s data and the Gramm-Leach-Billey Act (“GLBA”) for the protection of consumers utilising financial services. Furthermore, certain states have developed their own privacy legislation, and greater increase is set to occur in 2024.
Why is a Privacy Agreement between the EU and the US Important?
The invalidation of the Safe Harbour and the later Privacy Shield created issues for companies operating on a transatlantic basis. The data flows between the United States and the European Union amount to an important $7.1 trillion in economic activities and without the protection provided by these agreements, this trade is lost.
For businesses across both regions, having the free flow of data will go a long way in helping to uphold the transatlantic economy.
Invalidation of EU-US Safe Harbour & Privacy Shield:
The DPF marks the third transatlantic data privacy agreement between the United States and the European Union. In 2015, the Court of Justice of the European Union (CJEU) declared the first legal instrument between the United States and the European Union, the “Safe Harbour” to be invalid. In 2019, the CJEU further rendered the successor of the “Safe Harbour”, the “Privacy Shield” invalid. The data transfer mechanisms between the United States and the European Union have since been on a shaky road.
The first agreement – the “Safe Harbour” was invalidated after Schrems I because it did not protect the personal information of European Union and US citizens against governmental interference by the US. The CJEU thus ruled that this unrestricted interference is a breach of the fundamental right to respect for private life, impinging on European guaranteed human rights.
The second agreement – the “Privacy Shield” was invalidated after Schrems II. Similarly, the CJEU established the US did not provide adequate protections to European Union citizens from government surveillance. The European Data Protection Board stated that “transfers on the basis of this legal framework are illegal”.
As both cases highlighted, there exists a conflict between US surveillance laws which allow for the surveillance of both US and European Union citizens and European data protection laws which establish privacy protections. As the CJEU clarified in Schrems II, both the Safe Harbor and the Privacy Shield are dependent on the US providing an essentially equivalent level of protection as guaranteed within the GDPR.
Schrems I and II were brought by Max Schrems after Edward Snowden’s public discovery that US intelligence agencies can survey European users via PRISM or Upstream. In Schrems I, Schrems argued Facebook could not transfer his personal data to their US entity as there is a possibility of providing the data to US secret services without adequate protection. Following Schrems I, Facebook stated that it transferred data from the European Union to the US parent company based on the Standard Contractual Clauses (SCCs). In Schrems II, Schrems contended that the SCCs would not justify the transfer of personal data to the US as the surveillance programmes interfered with the rights to privacy, data protection and effective judicial protection. The CJEU reasoned that SCCs did not act as a panacea to the legality of a transfer and Facebook could not rely on the mechanism as it did not make up for the lacunae in the protection afforded by the US’ legal system.
For the US to receive an adequacy decision, US intelligence services access to the personal information of data subjects must be legal and adequately limited by an impartial body. The previous ombudsperson did not meet the EU Charter of fundamental rights definition of “tribunal”. Additionally, data subjects should have certain rights as found under Article 12-22 of the GDPR can be enforced against the controller or processor and this had not been replicated across every state for all US citizens.
The US thus needed to at least have satisfied these requirements for an adequacy decision to have been reached.
Data Privacy Framework:
On the 10th of July 2023, the DPF was released, establishing that data could be transmitted freely between the European Union and the US under the requirements of the framework.
The release of this Framework follows on from years of collaboration to establish a mechanism between the US and the EEA for the transfer of data.
US Surveillance:
In October 2022, President Biden issued the “Enhancing Safeguards for US Signals Intelligence Activities”, Executive Order (EO) 14086 which outlines protections with respect to government access to data for national security purposes. Section 2(a)(ii) of the Executive Order states that any intelligence activities should be subject to appropriate safeguards, ensuring privacy and civil liberties. Section 2(A) establishes that intelligence activities can only be conducted upon “reasonable assessment of all relevant factors”. Additionally, Section 2(v)(d) subjects intelligence activities to rigorous oversight, for instance each Intelligence Community should have impartial, senior level oversight. This creates a system of regular review. Section 3 provides a legal redress mechanism for any complaints on intelligence practices which do not reasonably balance these interests. Additionally for European Union Citizens, the Department of Justice regulations have been amended to establish the Data Protection Review Court which consists of individuals chosen from outside the US Government to have full authority on the adjudication and remediation of claims.
For the Data Privacy Framework, this was an important development. The CJEU had indicated in Schrems I that any interferences with fundamental rights and freedoms such as the privacy protection of individuals required clear and precise rules governing the scope and application of the measure. Furthermore, derogations from these protections in any case must apply only where they are deemed strictly necessary. The US government thus had to ensure that any interference with fundamental rights were restricted and clearly justified.
In reaching the agreement of the DPF it was accepted by the CJEU that the EO did provide stronger safeguards and a sufficient redress mechanism.
Data Subject Rights:
Under the EU-US DPF, individuals are provided with the right to transparent processing, a copy of this data, rectification, deletion, and a general right to opt-out of direct marketing. As explained in recital 15, individuals have a right to object or opt-out of the processing for materially different purposes than those for which the data was collected and to any disclosure to a third party. Organisations are required to respond to access requests within a reasonable period of time. An organisation may set reasonable limits to the number of times that access requests from a particular individual can be made. They may charge a fee for this where it is not excessive.
Currently, the provisions do not address decisions affecting the data subject based solely on the automated processing of personal data. However, for any data being collected in the Union, any decision based on automated processing will need to adhere to the GDPR. For specific scenarios such as credit scoring, US law offers specific safeguards such as under the Equal Credit Opportunity Act or the Fair Credit Reporting Act.
A two-layer process has been established for individuals whose data is being transferred from the Union to US companies. Individuals can submit complaints to their national data protection authority and the European Data Protection Board (“EDPB”) who will transmit these to the US. The Civil Liberties Protection Officer (“CLPO”) will investigate the complaints and individuals can use their right to appeal in the Data Protection Review Court. A judgment is then issued on what appropriate remediation can be made.
What does the Data Privacy Framework (DPF) mean for companies:
The DPF has notable impacts for companies operating across the world.
European Union and United Kingdom:
UK and EU companies can transfer personal data to US companies certified under the DPF.
Before transferring data therefore, UK and EU companies must verify whether the American company is certified. If certified, personal data can be transferred without additional data protection measures.
For uncertified US companies, data transfers are feasible with appropriate safeguards. The law mandates that companies reliant on SCCs must conduct a transfer impact assessment (TIA). The US government's safeguards concerning national security (including redress mechanisms) apply to all data transfers, irrespective of the transfer mechanisms used.
United States:
US companies can participate in the EU-US Framework by adhering to a detailed set of privacy obligations known as the "EU-US Framework Principles." These principles include requirements such as data minimisation and ensuring protections when transferring data internationally. These principles are an updated version of those established under the Privacy Shield framework. Organisations previously certified under Privacy Shield will need to self-certify under the EU-US Framework but may expect outreach from the US Department of Commerce regarding recertification.
Any US company that pledges to comply with the EU-US Framework Principles must incorporate these privacy obligations into their policies. The US Department of Commerce will handle certification applications the US Federal Trade Commission will monitor compliance.
The Possibility of Schrems III:
As it stands, the EDPB has announced the Data Privacy Framework will be subject to review after one year of its publication (10th July 2024) and it remains to be seen what practical implications these considerations have.
Schrems is due to file a CJEU challenge using the fact that anyone whose personal data is transferred under the new deal can bring a challenge with the Data Protection Authorities or the Courts. Various procedural options have been discussed by Schrems and a final decision by the CJEU would likely be in 2024 or 2025 and will bring clarity to the Trans-Atlantic Data Privacy Framework even if the legal challenge does not lead to the suspension of the agreement.
Bottom-Line:
The opportunity for the free flow of data has subject US businesses to certification under the DPF. Whilst creating additional bureaucratic steps for businesses, it assures the protectionary measures for the transfer of data for US and EU citizens, alike.