What is the EU-US Data Privacy Framework?
On July 10th, 2023, the European Commission adopted a decision that the United States provides a level of protection for personal data transferred from the European Union to U.S. companies participating in the EU-U.S. Data Privacy Framework that is adequate and comparable to the protection standards required within the European Union.
The adequacy decision was preceded by the United States' issuance of an Executive Order titled "Enhancing Safeguards for United States Signals Intelligence Activities," which introduced new binding safeguards aimed at addressing the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
These safeguards are designed to ensure that access to data by U.S. intelligence agencies is limited to what is necessary and proportionate. Additionally, the Executive Order established an independent and impartial redress mechanism to handle and resolve complaints from European citizens regarding the collection of their data for national security purposes.
Understanding the EU-US Data Privacy Framework
The General Data Protection Regulation (Regulation 2016/6792) of the EU sets out the rules for the transfer of personal data from controllers or processors in the Union to third countries and international organisations to the extent that such transfers fall within its scope of application.
While the flow of personal data to and from countries outside the European Union is essential for the expansion of cross-border trade and international cooperation, the level of protection afforded to personal data in the Union must not be undermined by transfers to third countries or international organisations.
Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of Regulation (EU) 2016/679.
As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country’s legal order, covering both the rules applicable to data importers and the limitations and safeguards as regards access to personal data by public authorities. In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection ‘essentially equivalent’ to that ensured within the Union.
As clarified by the Court of Justice in its judgment of 6 October 2015 in Case C362/14, Maximillian Schrems v Data Protection Commissioner (Schrems), this does not require finding an identical level of protection. In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the Union, as long as they prove, in practice, effective for ensuring an adequate level of protection.
The adequacy standard therefore does not require a point-to-point replication of European Union rules. Rather, the test is whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection.
Furthermore, according to that judgment, when applying this standard, the Commission should notably assess whether the legal framework of the third country in question provides rules intended to limit interferences with the fundamental rights of the persons whose data is transferred from the Union, which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security, and provides effective legal protection against interferences of that kind.
Following the Schrems II judgment, the Commission entered into talks with the U.S. government with a view to a possible new adequacy decision that would meet the requirements of Article 45(2) of Regulation (EU) 2016/679 as interpreted by the Court of Justice.
As a result of these discussions, the United States on 7 October 2022 adopted Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation). In addition, the framework that applies to commercial entities processing data transferred from the Union under the present Decision – the ‘EU-U.S. Data Privacy Framework’ (EU-U.S. DPF) – has been updated.
COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework
Article 1
For the purpose of Article 45 of Regulation (EU) 2016/679, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States that are included in the ‘Data Privacy Framework List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Section I.3 of Annex I.
Article 2
Whenever the competent authorities in Member States, in order to protect individuals with regard to the processing of their personal data, exercise their powers pursuant to Article 58 of Regulation (EU) 2016/679 with respect to data transfers referred to in Article 1 of this Decision, the Member State concerned shall inform the Commission without delay.
Article 3
1. The Commission shall continuously monitor the application of the legal framework that is the object of this Decision, including the conditions under which onward transfers are carried out, individual rights are exercised and U.S. public authorities have access to data transferred on the basis of this Decision, with a view to assessing whether the United States continues to ensure an adequate level of protection as referred to in Article 1.
2. The Member States and the Commission shall inform each other of cases where it appears that the bodies in the United States with the statutory power to enforce compliance with the Principles set out in Annex I fail to provide effective detection and supervision mechanisms enabling infringements of the Principles set out in Annex I to be identified and punished in practice.
3. The Member States and the Commission shall inform each other of any indications that the interferences by U.S. public authorities responsible for the pursuit of national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is necessary and proportionate, and/or that there is no effective legal protection against such interferences.
4. After one year from the date of the notification of this Decision to the Member States and subsequently at a periodicity that will be decided in close consultation with the Committee established under Article 93(1) of Regulation (EU) 2016/679 and the European Data Protection Board, the Commission shall evaluate the finding referred to in Article 1(1) on the basis of all available information, including information obtained through the review carried out together with the competent authorities of the United States.
5. Where the Commission has indications that an adequate level of protection is no longer ensured, the Commission shall inform the competent U.S. authorities. If necessary, it will decide to suspend, amend or repeal this Decision, or limit its scope, in accordance with Article 45(5) of Regulation (EU) 2016/679. The Commission may also adopt such a decision if the lack of cooperation of the U.S. government prevents the Commission from determining whether the United States continues to ensure an adequate level of protection.
Adequacy decisions
The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679, whether a country outside the EU offers an adequate level of data protection.
The adoption of an adequacy decision involves:
- a proposal from the European Commission;
- an opinion of the European Data Protection Board;
- an approval from representatives of EU countries;
- the adoption of the decision by the European Commission.
At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.
With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).
The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council.
What is the new redress mechanism in the area of national security and how can individuals make use of it?
The US Government has established a new two-layer redress mechanism, with independent and binding authority, to handle and resolve complaints from any individual whose data has been transferred from the EEA to companies in the US about the collection and use of their data by US intelligence agencies.
For a complaint to be admissible, individuals do not need to demonstrate that their data was in fact collected by US intelligence agencies. Individuals can submit a complaint to their national data protection authority, which will ensure that the complaint will be properly transmitted and that any further information relating to the procedure —including on the outcome—is provided to the individual. This ensures that individuals can turn to an authority close to home, in their own language. Complaints will be transmitted to the United States by the European Data Protection Board.
First, complaints will be investigated by the so-called ‘Civil Liberties Protection Officer' of the US intelligence community. This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights.
Second, individuals have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court (DPRC). The Court is composed of members from outside the US Government, who are appointed on the basis of specific qualifications, can only be dismissed for cause (such as a criminal conviction, or being deemed mentally or physically unfit to perform their tasks) and cannot receive instructions from the government. The DPRC has powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and can take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it can order the deletion of the data.
In each case, the Court will select a special advocate with relevant experience to support the Court, who will ensure that the complainant's interests are represented and that the Court is well informed of the factual and legal aspects of the case. This will ensure that both sides are represented, and introduce important guarantees in terms of fair trial and due process.
Once the Civil Liberties Protection Officer or the DPRC completes the investigation, the complainant will be informed that either no violation of US law was identified, or that a violation was found and remedied. At a later stage, the complainant will also be informed when any information about the procedure before the DPRC—such as the reasoned decision of the Court— is no longer subject to confidentiality requirements and can be obtained.