Summary

On 10 July 2023, the European Commission (EC) adopted the EU-US Data Privacy Framework, wherein it decides that the United States (US) provide an adequate level of protection regarding personal data when they are transferred from the European Union (EU) to US organisations included in the Data Privacy Framework List. More explicitly, this means that the EC deems that the legal system of the US ensures ‘an adequate level of protection’ for EU personal data, but only to organisations that comply with the requirements as set out in the framework. Via this EU-US Data Privacy Framework, the US is now recognized as an adequate jurisdiction, meaning that data can flow freely between the EU and certain US organisations, similar to intra-EU data transfers, without the need for an extra layer of security. Previously, such transfer would require the implementation of the Standard Contractual Clauses or Binding Corporate Rules.

In order to ensure that data transfers happen with sufficient protection under the new framework, extra safeguards are implemented.

First of all, interested US organisations need to self-certify and declare their commitment to adhere to the Principles to the US Department of Commerce. The US DoC will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified (“the Data Privacy Framework List”). The Principles entail e.g. the timely deletion of personal data when its original purpose is fulfilled and ensuring the continual protection of shared personal data with third parties. Additionally, the organisations must also establish mechanisms for assuring
compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. This could entail ensuring the availability of independent recourse mechanisms. On their turn, such mechanisms (e.g. privacy self-regulatory
organizations and other independent dispute resolution bodies) may inform the Federal Trade Commission (FTC) of non-compliance situations who can then start an investigation and take subsequent actions. Inter alia, the FTC will maintain an online list of companies subject to orders obtained in connection with enforcement of the EU-U.S. DPF Principles.

Secondly, the decision foresees additional coordination obligations between the EC and Member States. Under article 3.2, they must inform each other of cases where it appears that US supervisory bodies fail to provide effective detection and supervision mechanisms enabling infringements of the framework to be identified and punished in practice. Article 3.3, on the other hand, requires that they inform each other of any indications that the interferences by U.S. public authorities responsible for the pursuit of national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is necessary and proportionate, and/or that there is no effective legal protection against such interferences.

The adequacy decision also guarantees another level of protection by creating an independent and impartial, but complex, redress mechanism, the Data Protection Review Court (DPRC). This supervisory judicial entity is established to investigate and resolve complaints regarding access to data of EU-citizens and the use of such data by US national security authorities. To make complaints admissible, individuals need not prove that their data was actually collected by US intelligence agencies. They can lodge complaints with their national data protection authority, who will transmit the complaints to the US via the secretariat of the EU Data Protection Board. The complaints will then be investigated by the 'Civil Liberties Protection Officer' within the US intelligence community (“ODNI CLPO”), responsible for ensuring compliance with privacy and fundamental rights. The ODNI CLPO communicates its decision to the complainant through the national DPA. Interestingly, this decision will not set out the possible violation, nor remedying actions in order to “allow protection of the confidentiality of activities conducted to protect national security”. The decision of the ODNI CLPO can be appealed with DPRC. This DPRC with rely on a panel of three judges and will be assisted by a special advocate who ‘represents the complainants interests’. To further inform its position on an application for review to the DPRC by an individual, the Special Advocate can seek information from the complainant through written questions. Also here, the final decision will be communicated to the complainant through the national DPA and state that the DPRC completed its review and whether “the review either did not identify any covered violations” or “the DPRC issued a determination requiring appropriate remediation.” For a flow-chart, see https://www.justice.gov/media/1286456/dl?inline.

However, the EU-US Data Privacy Framework has already received criticism by privacy activists. Similar to the previous two attempts at an EU-US data framework that were both annulled by the Court of Justice of the EU (‘CJEU’) (Schrems I and II-judgments), the 2023 Framework is also expected to be brought before the CJEU. Activists claim that the US does not provide enough supervisory mechanisms within their legal system to comply with the current decision. This criticism is answered by US legal professionals and tech companies through the explanation that the surveillance laws are greatly improved and should not form an obstacle to the good functioning of the EU-US Data Privacy Framework.

The European Commission is set to conduct periodic assessments of the EU-US Data Privacy Framework. The reviews will take place annually, followed by subsequent evaluations every four years. The purpose is to ensure the efficacy of the new US privacy safeguards for European citizens.