EU - US Data Privacy Framework - Is Third Time a Charm?

On July 10, 2023, the EU-US Data Privacy Framework entered into effect, opening up the safe transfer of data between the US and the 27 countries in the European Union (plus Norway, Lichtenstein, and Iceland). According to Article 44 of the GDPR, transfers of personal data beyond the EU/EEA are prohibited unless the recipient country can prove that it provides adequate protection. The European Commission has the power to decide that a non-EU country grants an adequate level of personal data protection equivalent to that of the GDPR, and such a mechanism, also called an adequacy decision, is what makes possible the free exchange of personal information between EU and non-EU countries, without a need to implement any additional security measures. However, this is not the first such decision of its kind that the US received from the EU, as prior to this, the EU and the US had had few adequacy decisions, such as the Safe Harbor, invalidated by the Court of Justice of European Union back in 2015, and the EU-US Privacy Shield, which was invalidated by the Court of Justice back in 2020, following the famous  Schrems II Case. 

The issues raised by the Court when invalidating the Shield included the fact that transfers of data to the US violated the GDPR as US intelligence agencies could access it  and, therefore, that the US did not in effect provide an adequate level of protection of EU citizens, in line with both the GDPR and the EU Charter of Fundamental Rights. One of the main concerns raised by the European Court of Justice was a lack of redress mechanisms, which would allow data subjects protected by the GDPR to protect their rights if they were harmed by US intelligence activities. The invalidation of the EU-US Privacy Shield has complicated the data exchange between the continents and has led to a number of court decisions against tech companies that have continued data transfers from the European Union to the United States using alternative safeguarding mechanisms. In March of 2022, the EU Commission entered into an agreement with the US Government, aiming to develop a new framework that would address those issues that had led to the invalidation of the adequacy decision.

In October 2022, US President Joe Biden signed an Executive Order  on Enhancing Safeguards for United States Signals Intelligence Activities, in which additional safeguards were put in place and principles such as necessity or proportionality, which had to be adhered to. In addition to this, a redress mechanism was suggested, so that data subjects could “obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the E.O.” 

In effect, the efforts made by the US translated into new obligations designed to ensure that data could only be accessed by US intelligence agencies, based on what is necessary and proportionate, and an independent mechanism of redress designed to manage and resolve complaints from residents of the EEA countries, as regards the collection of their personal data for purposes of national security. Under the new Framework US public authorities will only be able to access the data for purposes of national security and criminal law enforcement. With this new adequacy decision in place, personal data can now flow freely from the EU to the US between companies that participate in the Framework, with no additional safeguards required. It is believed that this new Framework is an improvement from the previous one thanks to what is deemed as a significant improvement in the redress mechanism. The new framework grants authority to the Data Protection Review Court to order the deletion of data if they find that said data was collected in violation of the new safeguards. In addition, what this adequacy decision means for US businesses is that they are now able to join the EU-US Data Privacy Framework if they commit to compliance with a set of obligations, such as the obligation to delete personal data when it no longer serves the initial purpose for collection having become unnecessary, or the obligation to ensure that the personal data is protected when shared with third parties. 

EEA residents are granted with several rights under the Framework (to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data), which were not necessarily available to them under the US law, and a free of charge dispute resolution,   as well as an arbitration panel for those cases where their data has been handled wrongly. What is more, according to the Q&A available on the European Commission’s website, “for Europeans whose personal data is transferred to the US, the Executive Order provides for binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security; enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and the establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities,” and “requires US intelligence agencies to review their policies and procedures to implement these new safeguards.”

Additionally, the Q&A clarifies perhaps one of the most relevant questions an individual might have, namely what the new redress mechanism is and how can one make use of it?

The EC’s website answers this as follows: 

The US Government has established a new two-layer redress mechanism, with independent and binding authority, to handle and resolve complaints from any individual whose data has been transferred from the EEA to companies in the US about the collection and use of their data by US intelligence agencies.

For a complaint to be admissible, individuals do not need to demonstrate that their data was in fact collected by US intelligence agencies. Individuals can submit a complaint to their national data protection authority, which will ensure that the complaint will be properly transmitted and that any further information relating to the procedure —including on the outcome—is provided to the individual. This ensures that individuals can turn to an authority close to home, in their own language. Complaints will be transmitted to the United States by the European Data Protection Board.

First, complaints will be investigated by the so-called ‘Civil Liberties Protection Officer' of the US intelligence community. This person is responsible for ensuring compliance by US intelligence agencies with privacy and fundamental rights. 

Second, individuals have the possibility to appeal the decision of the Civil Liberties Protection Officer before the newly created Data Protection Review Court (DPRC). The Court is composed of members from outside the US Government, who are appointed on the basis of specific qualifications, can only be dismissed for cause (such as a criminal conviction, or being deemed mentally or physically unfit to perform their tasks) and cannot receive instructions from the government. The DPRC has powers to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies, and can take binding remedial decisions. For example, if the DPRC would find that data was collected in violation of the safeguards provided in the Executive Order, it can order the deletion of the data.

In each case, the Court will select a special advocate with relevant experience to support the Court, who will ensure that the complainant's interests are represented and that the Court is well informed of the factual and legal aspects of the case. This will ensure that both sides are represented, and introduce important guarantees in terms of fair trial and due process.

Once the Civil Liberties Protection Officer or the DPRC completes the investigation, the complainant will be informed that either no violation of US law was identified, or that a violation was found and remedied.  At a later stage, the complainant will also be informed when any information about the procedure before the DPRC—such as the reasoned decision of the Court— is no longer subject to confidentiality requirements and can be obtained.

Although the new Framework has been hailed as an improvement, with European Commissioner for Justice Didier Reynders saying that it is “substantially different than the EU-U.S. Privacy Shield," the privacy advocacy organization NOYB, which is known for having previously challenged both the Privacy Shield and the predecessor, the Safe Harbor Framework, has accused the new Framework of being “largely a copy” and has announced on their website that they intend to appeal the framework with the EU Court of Justice. Max Schrems, founder of the NOYB, has stated the following: 

We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal - we seem to just add another two years of this ping-pong now.