What the new EU-US Data Privacy Framework means for business
Legal challenges await the DPF and businesses should keep their options open
The new arrangement for EU-US transfer of personal data is an improvement over previous regulations in privacy terms, but has enough changed for the European Court of Justice to see it that way?
The EU-US Data Privacy Framework (DPF), which was signed into EU law last week, means that companies wishing to transfer personal data to the US no longer have to rely on individual arrangements like binding corporate rules (BCRs) and standard contractual clauses (SCCs), as they have since the collapse of Privacy Shield in 2020. They can now self-certify under DBF and agree to be bound by its conditions.
Self-certification will be easier for those companies that already have SCCs and BCRs or were previously certified under Privacy Shield, as they will have ready jumped through many of the required hoops. For new businesses, compliance should also be much more straightforward than with the patchwork of interim measures that have been in place for the last three years.
What has changed since Privacy Shield?
The US-EU Privacy Shield data transfer arrangement failed for the same reason as its predecessor, Safe Harbour: the incompatibility of US bulk surveillance of non-US citizens and EU law on individual rights, including GDPR. Both Privacy Shield and Safe Harbour were brought down after the European Court of Justice (ECJ) found in favour of activist lawyer Max Schrems.
Schrems has pronounced himself unimpressed by the new DPF. "Just announcing that something is 'new,' 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work," he said in a statement, adding that he expected to launch a legal challenge in the next few months.
Nevertheless, some progress has been made in what is a difficult task in aligning two very different legal systems, with each US state having its own laws, said Jo Joyce, senior counsel and information rights specialist at law firm Taylor Lessing. "There has been a huge effort to try to put in place meaningful equivalence, and there's big shift in terms of the concepts of privacy."
US intelligence agencies are now required to think in unfamiliar European terms of "necessity" and "proportionality" when requesting data, as judged by the Privacy and Civil Liberties Oversight Board, and there are now means of redress for European citizens in the shape of the new Data protection Review Court that weren't there before.
So things are moving in the right direction, but is it enough? The European Commission (EC), the US authorities and businesses are keen to remove this stone from their collective shoes and move on, but certain issues remain and the ECJ has persistently demonstrated its independence. The longevity of the DPF is far from guaranteed.
Independent regulator the European Data Protection Board (EDPB) concluded earlier this year that, despite positive progress on privacy, "certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism," could do with further clarification.
Another sticking point could be AI.
"The EDPB highlights the importance of addressing rapid developments in AI-driven automated decision-making and profiling," said Jas Johal, senior director with management consultancy Alvarez & Marsal's privacy and data compliance services. "Effective oversight, enforcement and compliance checks are crucial, and the EDPB will closely monitor these aspects, including periodic reviews."
There will also be periodic reviews of the DBF by the EC, European data protection authorities (DPAs) and the US authorities, with the first scheduled for July 2024, Johal added.
The right to redress
The passing of the framework takes the pressure off the US to do something about the contentious FISA Section 702 surveillance law, which is up for renewal at the end of this year and could well be extended, according to Joyce. It may have been tamed somewhat by the new measures, but there is still "plenty" for privacy campaigners to be concerned about, she said. "Fundamentally, the rights afforded to US citizens just aren't available to non-citizens. There's no getting away from that."
But the issue most likely to cause problems will be the right to redress. The first port of call for EU citizens pursuing their rights will be European DPAs, which will then pass the case onto the US authorities. Given that the DPAs regularly complain about their excessive workload and inadequate funding, this is unlikely to be the quick and efficient process that the GDPR requires.
"I think the broader concern is whether there's adequate access to the mechanism, European procedure is all about ease of access and ease of compliance. I think the number of hoops that that individuals will have to jump through to make use of this new court could be a problem," said Joyce.
What should data importers and exporters do now?
So, should US businesses importing personal data wait for the outcome of a possible legal challenge? Not at all said, Joyce, they should self-certify with DBF, but if they and their data-exporting EU partners are using BCRs or SCCs, they shouldn't abandon them just yet, in case the DBF follows its predecessors into oblivion.
If the new arrangement fails the companies will have to undertake new transfer impact assessments (TIAs) and change their privacy notices, said Johal, but she agreed that adopting BCRs and SCCs again should simpler after having self-certified.
"The DPF is still reliant upon self-certification, and the ability of a US data importer to process data in accordance with GDPR remains the responsibility of the EU exporting data controller," he explained. "As such, EU companies may still require contractual measures in their data processing agreements based on or similar to the SCCs in order to protect their own interests and responsibilities around the management of EU data."
How will the DPF deal affect the UK?
UK businesses no longer needs to comply with the GDPR, but if UK data protection law were to diverge too far from that in Europe the bloc could reverse its adequacy judgement.
For now though, the DBF ruling paves the way for the UK Extension of the Data Privacy Framework to facilitate the transfer of data between the UK and the US under UK law, also called the "data bridge".
"The Department of Commerce has released guidance stating that starting from 17th July, US organisations within the DPF can also self-certify for the UK Extension," said Johal.
"However, they cannot rely on it for transferring UK personal data until the UK adequacy regulations are implemented. Although there is no specific timeline for establishing the UK Extension, it is recognised as a priority."