EU & US – The new EU-US Data Privacy Framework: Third time lucky?

On 10 July 2023, the EU Commission adopted its long-awaited adequacy decision on transfers to the US under the EU-US Data Privacy Framework (the “Framework”).

We consider the background to this very welcome announcement, some practical questions about its operation and whether it will be more durable than its two predecessors.

Why is the Framework needed?

The Framework is intended to facilitate transfers of personal data from the EU to the US. These have become increasingly problematic following the CJEU’s judgment in Schrems II (Case C-311/18). The decision concluded, in broad terms, that:

• The EU-U.S. Privacy Shield did not provide a valid basis to transfer personal data to the US. This is principally because US surveillance law did not contain sufficient safeguards to ensure it was proportionate and did not provide a sufficient remedy to EU citizens.
• Standard Contractual Clauses are valid. However, they can only be used if the underlying transfer must be assessed on a case-by-case basis (a “transfer impact assessment”) to determine whether the personal data will be adequately protected. In particular, this must consider potential access by law enforcement or national security agencies. 

This has proved problematic. Conducting these transfer impact assessments requires a great deal of effort (involving specialist US legal advice) and rarely provides a clear conclusion. EU data protection authorities have already started to prohibit some transfers of personal data to the US on the basis of the decision in Schrems II (e.g. here).

The Framework allows the transfer of personal data to US companies signed up to the Framework without the need for Standard Contractual Clauses or a transfer impact assessment. (Transfers by controllers to processors will still, or course, need a standard processor contract.)

What changes has the US made?

The main change made by the US is the signing of the Executive Order, On Enhancing Safeguards For United States Signals Intelligence Activities, on 7 October 2022 (the “Order”). To respond to the concerns raised by the CJEU, the Order makes a number of changes including:

• Adding more privacy and civil liberties safeguards for US signals intelligence activities. The Order requires that signal intelligence activities be necessary and proportionate and only for the purpose of 12 specific legitimate national security and/or intelligence objectives.
• Allowing bulk collection of signals intelligence but limiting its scope.
• Establishing additional oversight and independent review mechanisms to provide EU individuals with limited redress. This redress mechanism includes establishing a Civil Liberties Protection Officer and a Data Protection Review Court.

Some of these protections were conditional on the US designating the EEA states as ‘qualifying states’ for the purpose of the Order. That designation was made on 3 July 2023 and became effective upon the adoption of the adequacy decision by the EU for the Framework.

Further details about the protections afforded by the Order are available here.

Does it apply to all transfers to the US?

No. The Framework only applies to US companies that have joined the Framework. As with the previous Privacy Shield, only companies supervised by the US Federal Trade Commission or Department of Transport can join the Framework.

Helpfully, it appears that companies that were already certified under the Privacy Shield can easily transfer to the new regime. They do not need to make another self-certification submission and instead can just update their privacy policies by 10 October 2023 to benefit from the Framework. The website for the Framework therefore lists includes a large number of US participants (here).

However, entities that are not regulated by the US Federal Trade Commission or Department of Transport – for example, banks and telecoms companies – cannot join the Framework.

Does it help for transfers to entities not signed up to the Framework?

Yes. The Order applies broadly to information about EEA citizens and is not limited to transfers of personal data to companies signed up to the Framework.

This will be a highly relevant factor for transfers made by other means and arguably creates a presumption of adequacy for any transfer impact assessment of transfers to the US. In other words, if the Order means transfers are adequate to companies in the Framework vis-à-vis access by the US Government there is no reason for a different conclusion in relation to transfers under the Standard Contractual Clauses.

What about transfers from the UK and Switzerland?

The scope of the Framework will in due course apply to transfers from both the UK and Switzerland to the US.

To take advantage of this, US companies need to expressly self-certify compliance with the UK Extension to the Framework and the Swiss-US Data Privacy Framework. Both the UK and Switzerland must also adopt their own adequacy decisions – something that is expected to happen shortly.

What about transfers to the rest of the world?

The Framework only applies to transfers to the US. Many other third country states give their law enforcement and security services extensive surveillance powers, often with significantly less oversight and respect for the rule of law than that provided by the US.

Transfers to these jurisdictions are likely to continue to be problematic, relying frequently on Standard Contractual Clauses and complex and expensive transfer impact assessments.    

Will it be challenged?

Very likely. The announcement of the Framework was barely complete before noyb announced it will challenge the decision. Max Schrems, chair of noyb, stated:

“They say the definition of insanity is doing the same thing over and over again and expecting a different result…. We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law… We currently expect this to be back at the Court of Justice by the beginning of next year.”

Until the Framework is reviewed – and upheld – by the CJEU many companies transferring to the US are likely to continue to apply a “belt and braces” approach by using both Standard Contractual Clauses and the Framework.

The website for the new Data Privacy Framework Program is available here.