This blog was revised 30 October 2023 to include the results of the first legal challenge and the UK’s adequacy decision.
On July 10, 2023, the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. adopted its long-awaited decision for adequacy between the EU and US with the new EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. (DPF). This latest trans-Atlantic data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. program follows the invalidation of the Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. in 2020 and the fall of the Safe Harbour Agreement in 2015, aiming to provide an easy way for certain organisations to transfer personal dataInformation which relates to an identified or identifiable natural person. between the European Economic Area and the United States.
However, will it be third time lucky for the DPF? With French MP Phillippe Latombe’s legal challenges and Austrian lawyer and privacy activist Max Schrems’ statement about being back in the Court of Justice by the beginning of next year, the landscape is uncertain.
In this blog, we take a look at the current details of the EU-US DPF Program and offer practical advice for organisations about eligibility and self-certification. We also delve into the concerns raised about the resilience and potential risks of the new mechanism, considering the legal challenges ahead.
The EU-US Data Privacy Framework (DPF) provides a set of binding rules and safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... for transferring personal data between the European Economic Area (EEA) and the United States (US).
The DPF is intended to address the previous concerns that brought about the invalidation of the Privacy Shield, namely the lack of strong protections, the risk of surveillance by US intelligence agencies, and the lack of judicial redress for EU residents.
The principles of the new DPF are similar to those of the old Privacy Shield: notice, choice, accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. for onward transfers, security, data integrity and purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected., access and recourse, enforcement and liability. The key differences are in the new controls, which, on the surface, appear to deal with the problems of the invalidated Privacy Shield.
The new controls include:
The Program states that compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises.
The EU-US DPF will be reviewed periodically by the European Commission, representatives of EU data protection authorities and certain US authorities, with the first review to take place within one year of implementation.
Even before the European Commission made its announcement about the adoption of the DPF Program, Max Schrems voiced his dissent. In November 2022, at the IAPP Europe Data Protection Congress, Max Schrems stated he would raise a potential “Schrems III” challenge to the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) should the DPF Program go ahead.
Max Schrems founded the not-for-profit organisation nyob, which stands for ‘none of your business’. Nyob uses strategic litigation and public campaigns to hold companies and governments accountable for their compliance with data protection laws. Max Schrems was the lead litigant in the landmark cases that became known as Schrems I and Schrems II, which brought about the invalidation of the Safe Harbour Agreement and the Privacy Shield, respectively.
Max Schrems’ main criticisms of the EU-US DPF:
‘Just announcing that something is “new”, “robust” or “effective” does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.’ Max Schrems, July 10, 2023
EU-US DPF challenges filed at the European Union’s General Court
Despite Mr Schrems’ vocal opposition, he was not the first to file against the DPF. On 7 September French MP Phillipe Latcombe filed two challenges at the European Union’s General Court.
On 12 October 2023, the Court of Justice of the European Union (CJEU) gave its interim ruling on Latcombe’s challenges and found insufficient grounds for urgency and rejected the request.
For interim relief to be granted and to justify an urgent suspension, Latcombe needed to establish that he would suffer ‘serious and irreparable harm’. A full hearing and final decision are still to be made, although this does bring into question the strength of Latcombe’s case.
There will undoubtedly be further litigation, but until a decision is passed in the courts, the EU-US DPF Program is still in place and can be used by certain organisations wishing to make international transfers of EU residents’ data between the EEA and the US.
To qualify for the DPF Program, US organisations need to be subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DoT). Organisations can self-certify their compliance with the DPF principles through the new Data Privacy Framework Program website. Upon self-certification, the Framework is immediately applicable.
The Data Privacy Framework (DPF) Program Website
Organisations previously self-certified to the EU-US Privacy Shield Principles should have revised and implemented their privacy policiesA term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’). by 10 October 2023, making reference to the “EU-U.S. Data Privacy Framework Principles”.
Many companies are operating from a ‘wait and see’ stance and will continue to use their previously implemented processes and mechanisms, with Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) being one of them.
Standard Contractual Clauses (SCCs) are an easy to implement, well-recognised tool for EU-US transfers, especially for small and medium sized enterprises (SMEs) that may not have the resources for individual contract negotiations. SCCs are deemed one of the most popular transfer mechanisms used by European organisations. In the 2019 International Association of Privacy Professionals (IAPP) Annual Privacy Governance Report, SCCs were voted the leading preference for data transfers by 88% of respondents surveyed, and this trend has continued.
It is important to note that a Transfer Impact Assessment (TIA) is a legal and contractual requirement when using SCCs. However, justifying transfers to the US has become easier since the introduction of the EU-US DPF Program. Now, the TIA can refer to the additional safeguards and controls implemented by the US, as detailed above. These safeguards and controls are available to EU data subjects, regardless of the transfer mechanism used.
A useful aspect of SCCs is an optional docking clause, which allows for changes in the parties involved in a contract. This clause isn’t widely used, but it provides a streamlined way to add new parties to a set of already executed SCCs. With the consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. of the pre-existing parties, the new parties can ‘dock’ into the SCCs and transfer data relatively easily. However, it must be noted that the new parties still need to be able to fulfil the contractual obligations and a TIA must be completed.
On 21 September 2023, a little over two months after the European Commission’s decision, the UK government also announced adequacy with the US by establishing a ‘data bridge’. The US Attorney General officially recognised the UK as a ‘qualifying state’ on 18 September 2023, under the provisions of Executive Order 14086.
The UK data bridgeAlso referred to as the UK-US data bridge, this is the UK’s extension to the EU-US Data Privacy Framework. It allows UK organisations to transfer personal data to certified US organisations from 12 October 2023, without having to put in place an alternative transfer mechanism. came into effect on 12 October 2023.
The data bridge acts as an extension to the EU-US DPF and allows UK organisations to transfer personal data to certified US organisations. The Department for Science, Innovation and Technology (DSIT) have published a range of data bridge supporting documents.
Organisations can also use the other currently available mechanisms for UK-US transfers, including:
Whether the EU-US DPF is already doomed, only time will tell. However, organisations would be wise to consider the impact on any projects or processes should the DPF Program be withdrawn. This is especially the case for life sciences organisations conducting research projects and clinical trials. If the DPF Program were to be challenged and subsequently withdrawn, there is a potential risk that ongoing clinical trials might encounter additional obstacles and difficulties. It is therefore crucial for life sciences organisations to use data transfer mechanisms that are robust and reliable for the entire duration of a trial.
For all industries, navigating international data transfers continues to be a complex and onerous task, a sentiment also highlighted in the latest UK Data Protection Index Report. The DP Index is based on a survey of a panel of UK data protection and privacy professionals, with the results giving an important overview of the evolving opinions and industry trends across a wide range of relevant topics. International data transfers remain one of the top ten concerns for the DP Index panel, and 10% see it as the most significant GDPR compliance hurdle faced by their organisations. You can read the latest DP Index Report here
Katrina Leach, Head of Data Protection Operations and a Data Protection Officer at The DPO Centre offers this helpful advice:
‘Given the evolving landscape of data privacy and the intricate web of international data transfers, organisations are encouraged to stay informed, agile, and prepared for a range of outcomes.’
If you would like to discuss any further details about international data transfers, or if you would like to know how an outsourced data protection service would work for you, please complete the form below and we will be in touch.
For more news and insights about data protection, follow The DPO Centre on LinkedIn
In case you missed it:
Fill in your details below and we’ll get back to you as soon as possible