Series
Blogs
EU & US – The new EU-US Data Privacy Framework: Third time lucky?
EU & US – The new EU-US Data Privacy Framework: Third time lucky?
17 July 2023
Series
Blogs
17 July 2023
On 10 July 2023, the EU Commission adopted its long-awaited adequacy decision on transfers to the US under the EU-US Data Privacy Framework (the “Framework”).
We consider the background to this very welcome announcement, some practical questions about its operation and whether it will be more durable than its two predecessors.
The Framework is intended to facilitate transfers of personal data from the EU to the US. These have become increasingly problematic following the CJEU’s judgment in Schrems II (Case C-311/18). The decision concluded, in broad terms, that:
This has proved problematic. Conducting these transfer impact assessments requires a great deal of effort (involving specialist US legal advice) and rarely provides a clear conclusion. EU data protection authorities have already started to prohibit some transfers of personal data to the US on the basis of the decision in Schrems II (e.g. here).
The Framework allows the transfer of personal data to US companies signed up to the Framework without the need for Standard Contractual Clauses or a transfer impact assessment. (Transfers by controllers to processors will still, or course, need a standard processor contract.)
The main change made by the US is the signing of the Executive Order, On Enhancing Safeguards For United States Signals Intelligence Activities, on 7 October 2022 (the “Order”). To respond to the concerns raised by the CJEU, the Order makes a number of changes including:
Some of these protections were conditional on the US designating the EEA states as ‘qualifying states’ for the purpose of the Order. That designation was made on 3 July 2023 and became effective upon the adoption of the adequacy decision by the EU for the Framework.
Further details about the protections afforded by the Order are available here.
No. The Framework only applies to US companies that have joined the Framework. As with the previous Privacy Shield, only companies supervised by the US Federal Trade Commission or Department of Transport can join the Framework.
Helpfully, it appears that companies that were already certified under the Privacy Shield can easily transfer to the new regime. They do not need to make another self-certification submission and instead can just update their privacy policies by 10 October 2023 to benefit from the Framework. The website for the Framework therefore lists includes a large number of US participants (here).
However, entities that are not regulated by the US Federal Trade Commission or Department of Transport – for example, banks and telecoms companies – cannot join the Framework.
Yes. The Order applies broadly to information about EEA citizens and is not limited to transfers of personal data to companies signed up to the Framework.
This will be a highly relevant factor for transfers made by other means and arguably creates a presumption of adequacy for any transfer impact assessment of transfers to the US. In other words, if the Order means transfers are adequate to companies in the Framework vis-à-vis access by the US Government there is no reason for a different conclusion in relation to transfers under the Standard Contractual Clauses.
The scope of the Framework will in due course apply to transfers from both the UK and Switzerland to the US.
To take advantage of this, US companies need to expressly self-certify compliance with the UK Extension to the Framework and the Swiss-US Data Privacy Framework. Both the UK and Switzerland must also adopt their own adequacy decisions – something that is expected to happen shortly.
The Framework only applies to transfers to the US. Many other third country states give their law enforcement and security services extensive surveillance powers, often with significantly less oversight and respect for the rule of law than that provided by the US.
Transfers to these jurisdictions are likely to continue to be problematic, relying frequently on Standard Contractual Clauses and complex and expensive transfer impact assessments.
Very likely. The announcement of the Framework was barely complete before noyb announced it will challenge the decision. Max Schrems, chair of noyb, stated:
“They say the definition of insanity is doing the same thing over and over again and expecting a different result…. We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law… We currently expect this to be back at the Court of Justice by the beginning of next year.”
Until the Framework is reviewed – and upheld – by the CJEU many companies transferring to the US are likely to continue to apply a “belt and braces” approach by using both Standard Contractual Clauses and the Framework.
The website for the new Data Privacy Framework Program is available here.