On July 10, 2023, the One of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. adopted its long-awaited decision for adequacy between the EU and US with the new EU-US Data Privacy Framework (DPF). This latest trans-Atlantic data The movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. program follows the invalidation of the US Certification scheme, now replaced by Data Privacy Framework. in 2020 and the fall of the Safe Harbour Agreement in 2015, aiming to provide an easy way for certain organisations to transfer Information which relates to an identified or identifiable natural person. between the European Economic Area and the United States.
However, will it be third time lucky for the DPF? With recent reports of French MP Phillippe Latombe’s legal challenges and Austrian lawyer and privacy activist Max Schrems’ statement about being back in the Court of Justice by the beginning of next year, the landscape is uncertain.
In this blog, we take a look at the current details of the EU-US DPF Program and offer practical advice for organisations about eligibility and self-certification. We also delve into the concerns raised about the resilience and potential risks of the new mechanism, considering the legal challenges ahead.
The EU-US Data Privacy Framework (DPF) provides a set of binding rules and When transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... for transferring personal data between the European Economic Area (EEA) and the United States (US).
The DPF is intended to address the previous concerns that brought about the invalidation of the Privacy Shield, namely the lack of strong protections, the risk of surveillance by US intelligence agencies, and the lack of judicial redress for EU residents.
The principles of the new DPF are similar to those of the old Privacy Shield: notice, choice, Perhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. for onward transfers, security, data integrity and The second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected., access and recourse, enforcement and liability. The key differences are in the new controls, which, on the surface, appear to deal with the problems of the invalidated Privacy Shield.
The new controls include:
The Program states that compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises.
The EU-US DPF will be reviewed periodically by the European Commission, representatives of EU data protection authorities and certain US authorities, with the first review to take place within one year of implementation.
Even before the European Commission made its announcement about the adoption of the DPF Program, Max Schrems voiced his dissent. In November 2022, at the IAPP Europe Data Protection Congress, Max Schrems stated he would raise a potential “Schrems III” challenge to the A Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) should the DPF Program go ahead.
Max Schrems founded the not-for-profit organisation nyob, which stands for ‘none of your business’. Nyob uses strategic litigation and public campaigns to hold companies and governments accountable for their compliance with data protection laws. Max Schrems was the lead litigant in the landmark cases that became known as Schrems I and Schrems II, which brought about the invalidation of the Safe Harbour Agreement and the Privacy Shield, respectively.
Max Schrems’ main criticisms of the EU-US DPF:
‘Just announcing that something is “new”, “robust” or “effective” does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.’ Max Schrems, July 10, 2023
EU-US DPF challenges filed at the European Union’s General Court
Despite Mr Schrems’ vocal opposition, he is not the first to file against the DPF. On 7 September French MP Phillipe Latcombe confirmed two challenges have been filed at the European Union’s General Court.
Latcombe’s challenges include:
There will undoubtedly be further litigation, but until a decision is passed in the courts, the EU-US DPF Program is still in place and can be used by certain organisations wishing to make international transfers of EU residents’ data between the EEA and the US.
To qualify for the DPF Program, US organisations need to be subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DoT). Organisations can self-certify their compliance with the DPF principles through the new Data Privacy Framework Program website. Upon self-certification, the Framework is immediately applicable.
Organisations previously self-certified to the EU-US Privacy Shield Principles will be required to revise their A term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’). and make reference to the “EU-U.S. Data Privacy Framework Principles” instead. It is important for this updated reference to be implemented as soon as possible and, at the latest, by October 10, 2023.
Should organisations continue to use SCCs for EU-US transfers?
Many companies are operating from a ‘wait and see’ stance and will continue to use their previously implemented processes and mechanisms, with Standard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) being one of them.
Standard Contractual Clauses (SCCs) are an easy to implement, well-recognised tool for EU-US transfers, especially for small and medium sized enterprises (SMEs) that may not have the resources for individual contract negotiations. SCCs are deemed one of the most popular transfer mechanisms used by European organisations. In the 2019 International Association of Privacy Professionals (IAPP) Annual Privacy Governance Report, SCCs were voted the leading preference for data transfers by 88% of respondents surveyed, and this trend has continued.
It is important to note that a Transfer Impact Assessment (TIA) is a legal and contractual requirement when using SCCs. However, justifying transfers to the US has become easier since the introduction of the EU-US DPF Program. Now, the TIA can refer to the additional safeguards and controls implemented by the US, as detailed above. These safeguards and controls are available to EU data subjects, regardless of the transfer mechanism used.
A useful aspect of SCCs is an optional docking clause, which allows for changes in the parties involved in a contract. This clause isn’t widely used, but it provides a streamlined way to add new parties to a set of already executed SCCs. With the An unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. of the pre-existing parties, the new parties can ‘dock’ into the SCCs and transfer data relatively easily. However, it must be noted that the new parties still need to be able to fulfil the contractual obligations and a TIA must be completed.
What about UK-US data transfers?
At present, there is no mechanism for UK-US data transfers to use the EU-US DPF. The UK and US governments have reached an agreement in principle to establish a “data-bridge”, which would act as an extension to the EU-US DPF.
Organisations wishing to self-certify their compliance with the proposed UK extension to the EU-US DPF can currently indicate this on the DPF Program website, although it should be noted that, as of the time of writing, personal data cannot be transferred between the UK and the US under the DPF Program until the data-bridge extension is finalised and in force.
Organisations should continue to use the currently available mechanisms for UK-US transfers, including:
Whether the EU-US DPF is already doomed, only time will tell. However, organisations would be wise to consider the impact on any projects or processes should the DPF Program be withdrawn. This is especially the case for life sciences organisations conducting research projects and clinical trials. If the DPF Program were to be challenged and subsequently withdrawn, there is a potential risk that ongoing clinical trials might encounter additional obstacles and difficulties. It is therefore crucial for life sciences organisations to use data transfer mechanisms that are robust and reliable for the entire duration of a trial.
For all industries, navigating international data transfers continues to be a complex and onerous task, a sentiment also highlighted in the latest UK Data Protection Index Report. The DP Index is based on a survey of a panel of UK data protection and privacy professionals, with the results giving an important overview of the evolving opinions and industry trends across a wide range of relevant topics. International data transfers remain one of the top ten concerns for the DP Index panel, and 10% see it as the most significant GDPR compliance hurdle faced by their organisations. You can read the latest DP Index Report here
Katrina Leach, Head of Data Protection Operations and a Data Protection Officer at The DPO Centre offers this helpful advice:
‘Given the evolving landscape of data privacy and the intricate web of international data transfers, organisations are encouraged to stay informed, agile, and prepared for a range of outcomes.’
If you would like to discuss any further details about international data transfers, or if you would like to know how an outsourced data protection service would work for you, please complete the form below and we will be in touch.
For more news and insights about data protection, follow The DPO Centre on LinkedIn
In case you missed it:
Fill in your details below and we’ll get back to you as soon as possible