01 Aug 2023

EU-U.S. Data Privacy Framework: A New Adequacy Decision for Transatlantic Data Flows

On July 10, 2023, the European Commission (“Commission“) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”).   The decision concludes that the United States (“US”) ensures an adequate level of data protection – comparable to that of the European Union (“EU“).

What does this mean for EU Individuals and Businesses?

The much-anticipated decision brings a conclusive resolution to the legal uncertainties surrounding the export of EU users’ data by US companies, an issue that has troubled thousands of businesses in recent years.  The General Data Protection Regulation (“GDPR“) empowers the Commission to determine, through an implementing act, whether a non-EU country ensures an “adequate level of protection” for personal data equivalent to that provided within the EU.  With the new adequacy decision in place, personal data can now flow securely and freely from the EU to US companies participating in the EU – US DPF, eliminating the need for additional data privacy protection measures like Standard Contractual Clauses (“SCC“) or Binding Corporate Rules (“BCR“).

Fundamental Principles of the Novel EU-U.S. Data Privacy Framework

  • A new set of rules and binding safeguards limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
  • A new two-tier redress system to investigate and resolve complaints of Europeans on access to data by US Intelligence authorities, which includes a Data Protection Review Court (“DPRC“).  Individuals can submit a complaint to their national data protection authority, even if they don’t know if US intelligence agencies collected their data.  Afterward, DPRC will independently investigate and resolve complaints, including by adopting binding remedial measures;
  • Strong obligations for companies processing data transferred from the EU include the requirement to self-certify that they adhere to the standards through the US Department of Commerce.

US companies can join the EU-U.S. DPF by pledging to adhere to a comprehensive set of data privacy obligations.  These obligations include deleting personal data when it’s no longer necessary for the original purpose of collection and ensuring the continuous protection of data shared with third parties.

The EU-U.S. DPF introduces enforceable measures that address the concerns highlighted by the Court of Justice of the European Union (“CJEU“) in its Schrems II decision of July 2020.  These measures include restricting access to EU data by US intelligence services to what is essential and proportionate and establishing DPRC to handle complaints from European individuals regarding collecting their data for national security reasons.

Compared to the Privacy Shield, the new Framework brings about significant improvements.  For instance, if the DPRC determines that data was collected violating the new safeguards, it will have the authority to mandate the deletion of such data.  The enhanced safeguards related to government access to data will complement the obligations required of US companies importing data from the EU.

EU individuals will benefit from several redress mechanisms if US companies wrongly handle their data.  The safeguards put in place by the US will also facilitate transatlantic data flows more generally since they also apply when data is transferred using other tools, such as SCCs and BCRs.

Looking to the Future

The adequacy decision came into effect upon its adoption on July 10, 2023.  To ensure the ongoing protection of personal data belonging to individuals in the EU, the Commission will conduct periodic reviews of the EU-U.S. DPF.  The first review will occur within a year of the EU-U.S. DPF’s operation.

Stay tuned for further details on the EU-U.S. DPF and the self-certification process, which will be revealed on the US Department of Commerce’s dedicated EU-U.S. DPF website.  The US Department of Commerce manages and oversees the Framework, while the US Federal Trade Commission will be vigilant in enforcing compliance among US companies.

Making a Change or Putting a Band-Aid on the Data Transfer Issue?

The transfer of personal data from the EU to the US was ruled illegal by the CJEU in two landmark cases, with the latest one being Schrems II, which highlighted concerns about disproportionate access and inadequate protection of European bulk data by US security agencies.  After the CJEU invalidated the previous adequacy decision on the EU-U.S. Privacy Shield, the Commission and the US government engaged in discussions to create a new framework addressing the issues.

Although the EU-U.S. DPF has been well-anticipated and welcomed by many, it is expected to face legal challenges in the future, similar to previous frameworks like Safe Harbour and the Privacy Shield.  Privacy activist Max Schrems, who initiated previously mentioned cases, emphasizes that mere claims of being “new,” “robust,” or “effective” won’t suffice in the eyes of the CJEU. Further, Schrems expects the newest version of the adequacy decision “to be back at the Court of Justice by the beginning of next year,” which could “even suspend the new deal while it is reviewing the substance of it.”

Will the CJEU deliver a decisive verdict that sets the stage for a harmonious date flow relationship between the EU and the US?  Only time will tell.   In the meantime, data keeps flowing, and the EU-U.S. DPF holds the key to a data-sharing saga!

Western Balkan Countries and International Date Transfers

The EU-U.S. Data Privacy Framework has prompted discussions about data transfers from Western Balkans (WB) countries to the USA.  Specifically, through their Stabilization and Association Agreements (SAAs), all WB countries have pledged to align their national laws with those concerning personal data protection.  The national Laws on Personal Data Protection (LPDP) of the Western Balkan countries encompass provisions related to data transfers to third countries, including the USA.

For instance, Serbia’s LPDP stipulates that data can be transferred internationally to countries or organizations the EU deems adequate.  However, for the newly introduced EU-U.S. DPF to be operational within national borders, it must receive approval from the governing body, which will then formally recognize the list of adequate countries.  Similarly, since the EU acknowledges the US as a jurisdiction with satisfactory personal data protection, Montenegro’s LPDP allows data transfers to it.

On the other hand, Bosnia and Herzegovina and North Macedonia have a more rigorous procedure.  Transferring data to third countries, including the USA, mandates prior notification or approval from their national data privacy protection authorities.  These bodies evaluate the sufficiency of data protection on a case-by-case basis before sanctioning international data transfers, adding a layer of complexity to the process within these regions.

Should the EU-U.S. DPF come into full effect, it’s anticipated that all WB countries will embrace this framework, thereby streamlining the process of data transfers to the USA.

Authors:

Milica Novaković

Nikola Ivković