What is the EU-US Data Privacy Framework?
On July 10th, 2023, the European Commission adopted a decision that the United States provides a level of protection for personal data transferred from the European Union to U.S. companies participating in the EU-U.S. Data Privacy Framework that is adequate and comparable to the protection standards required within the European Union.
The adequacy decision was preceded by the United States' issuance of an Executive Order titled "Enhancing Safeguards for United States Signals Intelligence Activities," which introduced new binding safeguards aimed at addressing the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
These safeguards are designed to ensure that access to data by U.S. intelligence agencies is limited to what is necessary and proportionate. Additionally, the Executive Order established an independent and impartial redress mechanism to handle and resolve complaints from European citizens regarding the collection of their data for national security purposes.
Understanding the EU-US Data Privacy Framework
The General Data Protection Regulation (Regulation 2016/6792) of the EU sets out the rules for the transfer of personal data from controllers or processors in the Union to third countries and international organisations to the extent that such transfers fall within its scope of application.
While the flow of personal data to and from countries outside the European Union is essential for the expansion of cross-border trade and international cooperation, the level of protection afforded to personal data in the Union must not be undermined by transfers to third countries or international organisations.
Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of Regulation (EU) 2016/679.
As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country’s legal order, covering both the rules applicable to data importers and the limitations and safeguards as regards access to personal data by public authorities. In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection ‘essentially equivalent’ to that ensured within the Union.
As clarified by the Court of Justice in its judgment of 6 October 2015 in Case C362/14, Maximillian Schrems v Data Protection Commissioner (Schrems), this does not require finding an identical level of protection. In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the Union, as long as they prove, in practice, effective for ensuring an adequate level of protection.
The adequacy standard therefore does not require a point-to-point replication of European Union rules. Rather, the test is whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection.
Furthermore, according to that judgment, when applying this standard, the Commission should notably assess whether the legal framework of the third country in question provides rules intended to limit interferences with the fundamental rights of the persons whose data is transferred from the Union, which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security, and provides effective legal protection against interferences of that kind.
Following the Schrems II judgment, the Commission entered into talks with the U.S. government with a view to a possible new adequacy decision that would meet the requirements of Article 45(2) of Regulation (EU) 2016/679 as interpreted by the Court of Justice.
As a result of these discussions, the United States on 7 October 2022 adopted Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation). In addition, the framework that applies to commercial entities processing data transferred from the Union under the present Decision – the ‘EU-U.S. Data Privacy Framework’ (EU-U.S. DPF) – has been updated.
4 November 2024 - The European Data Protection Board (EDPB) adopted its first report under the EU-U.S. Data Privacy Framework
On 10 July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. Article 3 of the adequacy decision requires the Commission to regularly review the decision, with the first periodic review to take place after one year from the date of the notification of the adequacy decision to the Member States. In line with Recital 212 of the adequacy decision, five representatives of the EDPB participated in the review meeting that was held in Washington D.C. on 18 and 19 July of 2024. The EDPB focused on the assessment of both the commercial aspects of the EU-U.S. Data Privacy Framework (‘DPF’) and on the access by U.S. public authorities to personal data transferred from the EU to DPF-certified organisations.
The EDPB welcomes the efforts made by the U.S. authorities and the Commission to implement the DPF, and takes positive note of several developments that took place since the adoption of the adequacy decision.
Concerning the commercial aspects of the DPF, the EDPB notes that the U.S. Department of Commerce took all relevant steps to implement the certification process for U.S. companies, including developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities. Similarly, the multi-layered redress system under the DPF has been updated and implemented and provides for several, easily accessible avenues for complaints from EU individuals. However, the very low number of eligible complaints received in the first year of the DPF appears to confirm previous concerns of the EDPB that the possibility for individuals to lodge complaints must be accompanied by proactive checks from the competent U.S. authorities on compliance with the substantial elements of the DPF Principles. Thus, the EDPB would like to encourage the Department of Commerce and the Federal Trade Commission to increase ex officio investigations as regards substantial compliance of certified organizations with all DPF Principles in the near future.
The EDPB would also like to incentivise the Department of Commerce to work on and publish practical guidance on the Accountability for Onward Transfer Principle of the DPF. Such guidance would ideally clarify the requirements that DPF-certified companies who receive personal data from EU exporters need to comply with when transferring such data to other third countries. The EDPB also believes that there is a need to settle the longstanding divergence in interpretation between EU and US authorities of the notion of ‘HR Data’ under the DPF. Therefore, the EDPB equally encourages the Department of Commerce to swiftly develop guidance on this matter that acknowledges the broad definition of HR Data under the DPF and lays out practical examples where HR Data would be processed under the DPF, explaining for each scenario which DPF Principles would be relevant. The EDPB stands ready to provide feedback to the Department of Commerce’s guidance.
Concerning access by U.S. public authorities to personal data transferred from the EU to DPF certified organisations, the EDPB recalls that the adequacy decision is based in particular on the Commission’s favourable assessment of Executive Order 14086, which is effectively meant to remedy the deficits identified in the judgment of the CJEU in Case C-311/18. To this end, Executive Order 14086 provides for additional safeguards, most notably by introducing the concepts of necessity and proportionality into the U.S. legal framework on signals intelligence and establishing a new redress mechanism. In the first periodic review one year after the adoption of the adequacy decision, the EDPB focused on the effective implementation of these safeguards as well as on new developments concerning government access to personal data for national security purposes.
On the implementation of the principles of necessity and proportionality, the EDPB recognizes that the U.S. Intelligence Community’s internal policies and procedures have been updated and published. The EDPB would have welcomed, however, an opportunity during the periodic review to discuss examples that clearly identify how the principles of necessity and proportionality are specifically interpreted and applied at agency level. The EDPB expects that future reviews would address this point. The EDPB is not in a position to fully assess the implementation of necessity and proportionality in practice and highlights the need to continue to carefully monitor this aspect, including in future reviews.
On effective redress, the EDPB had already recognized significant improvements, especially relating to the powers of the Data Protection Review Court. U.S. authorities have subsequently taken measures to implement the redress mechanism of the DPF. The EDPB welcomes these important steps which include not only the designation of the EU, Iceland, Liechtenstein and Norway as qualifying states for the redress mechanism but also the appointment of eight judges and two special advocates to the Data Protection Review Court. The EDPB considers that the elements of the redress mechanism provided for in Executive Order 14086 are in place. At the time of the review, no complaint had been filed under the new framework by EU individuals. Also, the annual review of the redress mechanism carried out by the Privacy and Civil Liberties Oversight Board is still pending. The EDPB wishes to renew its call to the Commission to monitor the practical functioning of the different safeguards of Executive Order 14086 designed to ensure an essentially equivalent level of protection. The redress mechanism should remain a priority during future periodic reviews.
With regard to the re-authorisation of Section 702 of the Foreign Intelligence Surveillance Act, the EDPB takes positive note of the legislative changes which increase privacy protections and recalls that Executive Order 14086 remains fully applicable when requesting access to data under Section 702 of the Foreign Intelligence Surveillance Act. However, the EDPB regrets that the reform did not incorporate the recommendation of the Privacy and Civil Liberties Oversight Board to codify certain safeguards of the Executive Order in Section 702 of the Foreign Intelligence Surveillance Act, thus not taking the opportunity to introduce additional safeguards as also previously recommended by the EDPB. The EDPB is concerned that the amendment to the definition of “electronic communication service provider” under Section 702 of the Foreign Intelligence Surveillance Act does not meet the requirement of clear, precise and accessible law. Notwithstanding the safeguards of Executive Order 14086, this change creates uncertainty about the actual reach of Section 702 surveillance. The EDPB considers that it is important for the Commission to follow up on future developments concerning Section 702 of the Foreign Intelligence Surveillance Act and also encourages the Privacy and Civil Liberties Oversight Board to monitor these developments.
The EDPB underlines that an adequate level of protection must be ensured also with regard to governmental acquisition of personal data by U.S. intelligence agencies from data brokers and other commercial entities that is not captured by Executive Order 14086. The Commission should further assess and monitor this particular form of government access and its practical use cases.
The EDPB would find it appropriate for the next review of the DPF to take place within less than four years, taking into account the numerous important aspects of the adequacy decision and the implementation of the DPF that the EDPB has recommended the Commission to closely monitor. This would allow the Commission and the EDPB to follow up in a structured manner on comprehensive information from U.S. authorities and other stakeholders about the practical application of the DPF sooner than the legally-established maximum time limit for the review.
The report:
COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework
Article 1
For the purpose of Article 45 of Regulation (EU) 2016/679, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States that are included in the ‘Data Privacy Framework List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Section I.3 of Annex I.
Article 2
Whenever the competent authorities in Member States, in order to protect individuals with regard to the processing of their personal data, exercise their powers pursuant to Article 58 of Regulation (EU) 2016/679 with respect to data transfers referred to in Article 1 of this Decision, the Member State concerned shall inform the Commission without delay.
Article 3
1. The Commission shall continuously monitor the application of the legal framework that is the object of this Decision, including the conditions under which onward transfers are carried out, individual rights are exercised and U.S. public authorities have access to data transferred on the basis of this Decision, with a view to assessing whether the United States continues to ensure an adequate level of protection as referred to in Article 1.
2. The Member States and the Commission shall inform each other of cases where it appears that the bodies in the United States with the statutory power to enforce compliance with the Principles set out in Annex I fail to provide effective detection and supervision mechanisms enabling infringements of the Principles set out in Annex I to be identified and punished in practice.
3. The Member States and the Commission shall inform each other of any indications that the interferences by U.S. public authorities responsible for the pursuit of national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is necessary and proportionate, and/or that there is no effective legal protection against such interferences.
4. After one year from the date of the notification of this Decision to the Member States and subsequently at a periodicity that will be decided in close consultation with the Committee established under Article 93(1) of Regulation (EU) 2016/679 and the European Data Protection Board, the Commission shall evaluate the finding referred to in Article 1(1) on the basis of all available information, including information obtained through the review carried out together with the competent authorities of the United States.
5. Where the Commission has indications that an adequate level of protection is no longer ensured, the Commission shall inform the competent U.S. authorities. If necessary, it will decide to suspend, amend or repeal this Decision, or limit its scope, in accordance with Article 45(5) of Regulation (EU) 2016/679. The Commission may also adopt such a decision if the lack of cooperation of the U.S. government prevents the Commission from determining whether the United States continues to ensure an adequate level of protection.
Adequacy decisions
The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679, whether a country outside the EU offers an adequate level of data protection.
The adoption of an adequacy decision involves:
- a proposal from the European Commission;
- an opinion of the European Data Protection Board;
- an approval from representatives of EU countries;
- the adoption of the decision by the European Commission.
At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay as providing adequate protection.
With the exception of the United Kingdom, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).
The Commission is required to periodically review the adequacy decisions adopted under the GDPR and its predecessor, Directive 95/46/EC, and to report its findings to the European Parliament and the Council.
What is the new redress mechanism in the area of national security and how can individuals make use of it?
The US Government has established a new two-layer redress mechanism, with independent and binding authority, to handle and resolve complaints from any individual whose data has been transferred from the EEA to companies in the US about the collection and use of their data by US intelligence agencies.
For a complaint to be admissible, individuals do not need to demonstrate that their data was in fact collected by US intelligence agencies. Individuals can submit a complaint to their national data protection authority, which will ensure that the complaint will be properly transmitted and that any further information relating to the procedure —including on the outcome—is provided to the individual. This ensures that individuals can turn to an authority close to home, in their own language. Complaints will be transmitted to the United States by the European Data Protection Board.
First, complaints will be investigated by the so-called ‘Civil Liberties Protection Officer' of the US intelligence community. This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights.
Second, individuals have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court (DPRC). The Court is composed of members from outside the US Government, who are appointed on the basis of specific qualifications, can only be dismissed for cause (such as a criminal conviction, or being deemed mentally or physically unfit to perform their tasks) and cannot receive instructions from the government. The DPRC has powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and can take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it can order the deletion of the data.
In each case, the Court will select a special advocate with relevant experience to support the Court, who will ensure that the complainant's interests are represented and that the Court is well informed of the factual and legal aspects of the case. This will ensure that both sides are represented, and introduce important guarantees in terms of fair trial and due process.
Once the Civil Liberties Protection Officer or the DPRC completes the investigation, the complainant will be informed that either no violation of US law was identified, or that a violation was found and remedied. At a later stage, the complainant will also be informed when any information about the procedure before the DPRC—such as the reasoned decision of the Court— is no longer subject to confidentiality requirements and can be obtained.