.svg)
The European Commission has adopted its adequacy decision for the EU-US Data Privacy Framework, paving the way for legal data transfers between the two jurisdictions, and possibly a new court case from Max Schrems.
Almost three years to the day since the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, the EU has approved the EU-US Data Privacy Framework, allowing for a free flow of personal data to certified US organisations.
“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” said Ursula von der Leyen, the European Commission chief, in a new statement.
After the agreement was reached between the EU and US last year, the latter has implemented what von der Leyen described as “unprecedented commitments to establish the new framework”.
“Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values,” said von der Leyen. “It shows that by working together, we can address the most complex issues.”
The decision concludes that the US ensures an adequate level of protection, which is comparable to that of the EU, for personal data transferred from the EU to US companies under the new framework.
On the basis of the new adequacy decision, personal data can therefore flow safely from the EU to US companies participating in the new framework.
This will mean companies are saved from having to build in additional data protection safeguards.
The EU-US Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the CJEU, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access.
The new framework introduces significant improvements compared with the mechanism that existed under the Privacy Shield.
For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data.
The new safeguards in the area of government access to data will complement the obligations to which US companies importing data from the EU will have to subscribe.
“The EU-US Data Privacy Framework will be welcomed by many commercial organisations which have spent three years in limbo, unsure if their data transfers were lawful,” commented Rohan Massey, who heads up Ropes & Gray’s data, privacy and cybersecurity practice.
Massey continued that the framework will also benefit organisations relying on standard contractual clauses for data transfers, as they will be able to cite some of the EU-US Data Privacy Framework protections as relevant to their requirements for technical and organisational measures needed to protect data outside the European Economic Area.
Going forward, the functioning of the EU-US Data Privacy Framework will be subject to periodic reviews, to be carried out by the European Commission, together with representatives from European data protection authorities and competent US authorities.
The first review will take place within a year of the entry into force of the adequacy decision, to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.
However, although this announcement will be welcomed by many, Brussels and Washington could be heading for more problems with data transfers if Max Schrems, the privacy activist who challenged the Privacy Shield, which led to the 2020 Schrems II case, decides to challenge the new framework.
"They say the definition of insanity is doing the same thing over and over again and expecting a different result,” Schrems said via his campaign group NOYB (none of your business), which calls itself the European Center for Digital Rights.
“Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests.”
Schrems continued: "We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' — but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the once from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice.”
For Schrems to relinquish his campaign, there would need to be changes in US surveillance law.
In spite of what is likely a looming court case, Massey said that firms are likely to remain happy with the new agreement being in place.
“At this point, clarity, even in the short term, will be welcomed by any organisation engaged with transatlantic data transfers.”
Schrems has said, meanwhile, that the Vienna-based organisation has “various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong”.
NOYB says that it anticipates that it will be back at the CJEU by the beginning of next year.
In this instance, the CJEU could then even suspend the new deal while it is reviewing the substance of it.
“For the sake of legal certainty and the rule of law we will then get an answer if the Commission's tiny improvements were enough or not,” said Schrems. “For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal, we seem to just add another two years of this ping-pong now."
