On 10 July 2023, the European Commission adopted a decision on the EU-US Data Privacy Framework, recognising the US as a country providing sufficient protection for personal data subject to requirements under the GDPR. This marks the end of long-running and intense negotiations between the EU and the US, as a result of which personal data can be now safely transferred from the EU to US commercial organisations participating in the new Data Privacy Framework. Following the Schrems II decision in 2020 invalidating the Privacy Shield (see our previous article), this is considered a widely welcomed development, in particular by US-based major tech companies providing information society services.
Commitments by the US in the form of additional safeguards
The new Data Privacy Framework introduces significant safeguards, to address concerns raised inter alia by the CJEU under Schrems II decision. Among other requirements, the new framework requires US companies participating to comply with set of privacy obligations which ensure that the EU data subjects can efficiently exercise their rights (e.g., the right to erasure). Furthermore, US legislation now requires that access to relevant personal data by US authorities needs to follow necessity and proportionality principles in order to limit indiscriminate collection of EU citizens’ data in bulk. EU individuals can also address their privacy concerns regarding the data processing carried out by US intelligence agencies, by using an independent and impartial redress mechanism via the newly established Data Protection Review Court (DPRC).
What’s next for companies that rely on service providers located in the US?
In case of using services provided by companies located in the U.S. (e.g., providers of cloud and data analytics services, and other critical business functionalities), EU-based enterprises should inventory which of their cooperation partners adhere to the new framework and which do not. In light of the above, it may be economically more sensible to switch to a service provider participating in the new framework, which would mean an EU-based company would no longer be obliged to comply with the obligations inherent to certain other data transfer mechanisms. For instance, if relying on standard contractual clauses (SCCs) for international data transfers, the data exporter will be obliged, for compliance purposes, to periodically evaluate and verify whether the data transfer impact assessment conducted and related safeguards thereof remain relevant (see checklist for relying on SCCs in our previous article).
Strict rules on adherence to the new framework
US companies participating in the new Data Privacy Framework may rely on the decision without needing to implement additional safeguards under the GDPR to ensure an adequate level of personal data protection. To join the new framework, companies, however, have to acquire certification, meaning they are subject to the investigatory and enforcement powers of US authorities. This is likely to entail a considerable and continuous administrative burden in order to annually recertify their adherence to the principles set by the US Department of Commerce, the authority administering the new framework.
The future
The new Data Privacy Framework is subject to periodical reviews led by the European Commission in consultation with EU member states and the respective national authorities. However, it is yet to be seen whether the new framework will suffer the same fate as the two previous agreements governing transatlantic data flows. This depends on the question of whether the new framework actually ensures adequate protection for EU data subjects, which will ultimately be settled by the CJEU in the event that such a challenge in the form of a lawsuit is made.
See the press release on the new framework published by the European Commission, here.
Our data protection specialists remain at your disposal should you have any questions on how to ensure compliance, including with respect to the legality of international data transfers:
Partner, Estonia
Associate, Estonia
Associate, Lithuania