Free personal data flow from Europe to the US, the end of the Schrems saga?
By Katia Volodine, Avocat à la Cour, Volodine Legal
The month of July marked an important milestone for privacy professionals as the European Commission issued an adequacy decision on the EU-US Data Privacy Framework (EU-US DPF) on 10 July 2023. As a reminder, any transfer of personal data from the EU to a third country (including the US) is regulated by the General Data Protection Regulation and can only be done based on certain permitted mechanisms such as an adequacy decision, standard contractual clauses, or binding corporate rules.
An adequacy decision allows cross-border data transfers outside the EU to a third country, assessed as offering a comparable level of protection of personal data to that of the European Union, without the need of further authorization or conditions from competent authorities. The adequacy decision considers a comprehensive assessment of a country’s data protection framework such as protection applicable to personal data and available oversight and redress mechanisms.
The history of international transfer of personal data from the EU to the US has been marked by several attempts to find an adequate foundation for transatlantic data flows. The Safe Harbour and then the Privacy Shield were both invalidated by the CJEU under two judgments, colloquially named “Schrems ” and “Schrems ii ” (collectively, the “Schrems cases”). One of the reasons why the European Commission granted such an adequacy decision is that the US adopted an executive order which inter alia provided for binding safeguards that limit access to data by US intelligence authorities (a critical issue recognized by the CJEU in the Schrems cases) to what is necessary and proportionate to protect national security and set up an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to the data of European citizens by US national security authorities.
Now the EU commission and the US Department of Commerce may have improved the privacy framework by providing companies with the possibility to freely transfer personal data from the EU to the US.
The US companies can certify their participation by committing to comply with a detailed set of privacy obligations and self-certifying through the website provided by the U.S. Department of Commerce which will be responsible for administering the EU-US DPF. Compliance with the EU-US DPF by US companies will be enforced by the US Federal Trade Commission (the “FTC”).
An organization shall also be subject to the investigatory and enforcement powers of either the FTC, which cover a broad range of commercial companies with some exceptions (banks, insurance companies, or telecommunication service providers), or the U.S. Department of Transportation. However, other enforcement authorities may be included in the future.
A company shall also publicly declare its commitment to comply with the principles, publicly disclose its privacy policies in line with these principles, and fully implement them.
Also, the participating companies shall grant EU citizens several new rights (e.g. to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data).
In addition, the EU-US DPF offers different redress avenues in case data is wrongly handled, including before free of charge independent dispute resolution mechanisms and an arbitration panel.
Once a certification is done, companies are required to re-certify every year.
While the EU-US DPF is certainly welcome to facilitate and provide more legal certainty to the transatlantic transfers of data, companies should stay cautious and continue relying on existing safeguards such as standard contractual clauses and performance of a transfer impact assessment, especially since this EU-US DPF may be challenged in another new case before the CJEU (Schrems iii?)