On July 10, 2023 the EU-US Data Privacy Framework was finally adopted. Back in March of 2023, we had a first look at the framework and its assessment by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, and in July we looked at the new EU - U.S. adequacy decision which came into force.
The new adequacy decision is in place as of July 11, 2023, and it introduces “new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access." This framework comes with significant improvements, such as granting authority to the DPRC to order the deletion of data if they find that said data was collected in violation of the new safeguards. In light of the Schrems II decision from 2020 these changes seem like a significant step towards building trust.
On November 14, 2023 the United States Attorney General, Merrick B. Garland held an investiture ceremony at the Justice Department and swore in six judges who will be part of the total of eight members of the independent court, the DPRC. In the press release published on the DOJ’s website AG Merrick stated the following:
In October 2022, I issued new regulations establishing the Data Protection Review Court to serve as the second level of a new redress process established by the President’s Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. [...] Although this court has been established at the Department of Justice, its judges will independently decide what remedies, if any, are appropriate for the cases in front of them, and the intelligence agencies will be expected to abide by their decisions.
According to the United States President’s “Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities”
The Data Protection Review Court panel shall impartially review the determinations made by the CLPO with respect to whether a covered violation occurred and the appropriate remediation in the event there was such a violation. [...] In reviewing determinations made by the CLPO, the Data Protection Review Court panel shall be guided by relevant decisions of the United States Supreme Court in the same way as are courts established under Article III of the United States Constitution, including those decisions regarding appropriate deference to relevant determinations of national security officials.
In simpler terms, the DPRC “will independently review determinations made by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence (ODNI) in response to qualifying complaints sent by individuals through appropriate public authorities that allege certain violations of U.S. law in the conduct of U.S. signals intelligence activities.”
With the adoption of the DPC, what this means for US businesses is that they are now able to join the EU-US Data Privacy Framework if they commit to compliance with a set of obligations, such as the obligation to delete personal data when it no longer serves the initial purpose for collection having become unnecessary, or the obligation to ensure that the personal data is protected when shared with third parties.
Data subjects in the EU will have several redress mechanisms for cases where their data is mishandled by US companies, such as free of charge dispute resolution mechanisms or an arbitration panel, and the DPRC will be authorized to independently investigate and resolve complaints and even adopt binding remedial measures.
In a press release dated July 10, 2023 when the adequacy decision was adopted President Ursula von der Leyden stated the following: “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
Now that the adequacy decision has been adopted, the next step is a periodic review of the Data Privacy Framework (DPF) conducted by the European Commission, with the first such review set to take place within one year of the decision’s entry into force, in order to check whether the US legal framework has implemented all relevant measures for data protection and whether these are functioning properly.