How we got to the DPF.

Back in July of 2020, companies were left with uncertainties regarding how to transfer personal data across the Atlantic while complying with the EU's General Data Protection Regulation (GDPR). The Court of Justice of the European Union (CJEU) in the case of "Schrems II" had ruled that the Privacy Shield did not adequately protect the privacy rights of European citizens when their data was transferred to the United States due to concerns over US government surveillance practices.

This has caused companies to turn to other mechanisms to legitimize data transfers, such as Standard Contractual Clauses (SCCs). SCCs are standard data protection clauses adopted by the European Commission that set out the obligations of data exporters and importers when transferring personal data. However, the "Schrems II" ruling has also put SCCs under scrutiny, and companies are required to conduct case-by-case assessments, better known as "Transfer Impact Assessments" (TIA's), to ensure that data transfers offer an adequate level of protection.

The European Commission and the U.S. Department of Commerce had been working to negotiate a new EU-US Privacy Shield or an alternative framework that could replace it. After many challenges, that day finally came on July 10th, 2023, three years later.

Titled the EU-US Data Privacy Framework or "DPF," this alternative framework allows the free and "safe" data transfers between the two regions without additional privacy safeguards, meaning no SCCs or TIAs required.

US companies can?join?the framework by committing to various other privacy obligations, such as ensuring data is protected when shared with third parties, and deleting personal data when it is no longer needed. The decision’s safeguards also stem from the White House’s?Executive Order last year on the framework. The safeguards?include?limiting government access to data to whatever is “necessary and proportionate to protect national security”. Intelligence agencies will be monitored carefully to ensure that their surveillance activities are limited.

EU residents also get new?rights?under the framework—like the right to access their data, and to correct or delete incorrect or “unlawfully handled data”. The adequacy decision also?mandates?separate and stringent privacy protections for sensitive data (like health data) transferred between the two countries. Companies participating are expected to follow data minimization practices, while ensuring that the data they have is factually accurate.

The US’ safeguards will also apply when EU data is transferred under other mechanisms, like standard contractual clauses or binding corporate clauses.

If an individual feels there has been a violation on the collection and use of their data, the US Government has established a new two-layer redress mechanism, with independent and binding authority, to handle and resolve complaints from any individual whose data has been transferred from the EEA to companies in the US. For a complaint to be admissible, individuals do not need to demonstrate that their data was in fact collected by US intelligence agencies. They can submit a complaint to their national data protection authority, which will ensure that the complaint will be properly transmitted and that any further information relating to the procedure —including on the outcome—is provided to the individual. This ensures that individuals can turn to an authority close to home, in their own language.

Complaints will be transmitted to the United States by the European Data Protection Board. From there, A ‘Civil Liberties Protection Officer’ from the US Intelligence will investigate the complaint and decisions can be appealed before the Data Protection Review Court (DPRC): The Court, an independent body comprised of non-US government officials, with powers to access information from US intelligence agencies and to issue binding remedial verdicts. For example, it can order data deletion if it finds that the framework’s safeguards are violated.

So, what's next??The United States Department of Commerce will be administering the framework, while compliance with it will be enforced by the United States’ Federal Trade Commission. The framework’s functioning will also be periodically reviewed by European data protection authorities, the European Commission, and US authorities too. The first?review?will take place one year into the decision’s implementation.

All that said, the DPF continues to be controversial. Schrems, the Austrian online privacy activist who founded the campaign group NOYB, said he planned to sue again after the European Commission adopted the DPF. “Just announcing that something is ‘new,’ ‘robust’ or ‘effective’ does not cut it before the Court of Justice,” Mr. Schrems said in a statement, referring to the European Union’s top court. “We would need changes in U.S. surveillance law to make this work — and we simply don’t have it.”

Members of the European Parliament have also criticized the agreement, who had no direct role in the negotiations but passed a nonbinding resolution in May, saying that the agreement failed to create adequate protection.

What do you think? Will the DPF hold are are we looking at an amendment to the DPF in our future?