Practical consequences of the EU-U.S Data Privacy Framework

On 10 July 2023, the EU Commission adopted a new adequacy decision regarding the transfer of personal data from the EEA to the USA, through the signing of the EU-U.S. Data Privacy Framework ("DPF"). The purpose behind this adequacy decision was to establish a new legal basis for data transfers that aligns with the General Data Protection Regulation ("GDPR"), aiming to simplify transfers to the USA following the EU Court of Justice's decision in Schrems II in 2020. Here's an overview of the current situation.

The implementation of the DPF means that a new legal basis for transferring personal data from the EEA to the USA has been established. However, the rules for transfers to other non-approved countries, such as India, remain the same as before. The obligation to know where personal data is located and to account for it remains unchanged. Although transfers to the USA have become easier, the general obligations related to data transfers are essentially the same as before. A lawsuit challenging the validity of the DPF has already been announced, and the lawsuit will potentially be fast-tracked through the EU legal system. The outcome of this lawsuit is currently uncertain.

In practice, the DPF enables free flow of personal data to self-certified American businesses, as transfers can happen without the need of Standard Contractual Clauses ("SCC") or other individualized transfer mechanisms. The consequence of this new legal basis is that transfers of personal data to U.S. companies under the DPF can be done under the same legal conditions as transfers within the EEA – a simple data processing agreement (along with risk- and vulnerability analysis and documentation on risk assessments) is sufficient.

The new transfer rules will also have consequences for transfers to businesses that choose not to certify, following the EU Commission's acceptance of the USA's revised privacy and surveillance rules. Thus, the circumstances surrounding DPF can also simplify transfers based on mechanisms like SCCs, although other requirements such as TIA, risk- and vulnerability analyses and other risk analysis documentation will still apply.

The new framework is based on a self-certification scheme, where American businesses can be certified to receive personal data from the EEA if they commit to processing data in accordance with the DPF. Self-certified businesses are listed in the official DPF registry (https://www.dataprivacyframework.gov/s/). In practice, this means that personal data can be transferred freely to self-certified American companies in the same way, and under the same legal conditions, as for transfers within the EEA. Certification under the DPF is valid for one year and must be renewed upon expiration.

Before using the new transfer mechanism, one must ensure that the correct legal entity in the USA is registered as certified, and that the recipient has an "active" status on the certification list. Underlying contractors (sub-processors) who receive personal data must also be certified. Information about the certification should be included in the recipient's privacy policy. Additionally, individual privacy policies, data processing agreements, and Article 30 protocols should be updated to indicate the use of the DPF as a transfer mechanism. Other requirements such as risk assessments and documentation would still apply.

Many businesses have already been certified, but it is essential to ensure that the certification covers the type of data being transferred. The certification distinguishes between HR data and other data. HR data refers to information about employees, while other data covers all other personal data. The certification list distinguishes the type of data each business is certified to receive. To exemplify the importance of correct certification, we note that recipients of HR data must undertake to cooperate with European data protection authorities in case of any complaints against the company's data processing, while recipients of other data are obliged to make an independent dispute resolution mechanism in the USA available.

Currently, major companies such as Facebook, have yet to certify themselves. The lack of certification from such major companies may be related to NOYB's notified actions as described under section 5. Nevertheless, there is reason to believe that the self-certification access will be used by all major companies in near future, and that the largest companies will be early adopters of the DPF.

U.S. authorities have established new control mechanisms for handling complaints from European data subjects. These mechanisms are established to oversee complaints and keep control with the American intelligence agencies' collection and use of European citizens' data. In the first instance, complaints from European data subjects are investigated by a "Civil Liberties Protection Officer" ("CLPO") from a U.S. intelligence agency, who shall ensure that U.S. intelligence agencies comply with privacy regulations. Additionally, a new court called the "Data Protection Review Court" ("DPRC") has been established, which functions as an appellate body for decisions made by the CLPO. DPRC includes members outside the U.S. government and can make binding corrective decisions on intelligence agencies' use of personal data. These control mechanisms are generally applicable to all personal data transferred from the EEA to the USA, regardless of whether the recipient is certified.

European citizens can initiate these mechanisms by presenting complaints to their respective national supervisory authorities, e.g. Datatilsynet in Norway. The supervisory authorities shall ensure that complaints are forwarded to and reviewed by the relevant oversight bodies.

Company self-certification also has an oversight mechanism. The DPF administration assesses and validates the self-certification before companies are listed as self-certified. If the certification requirements aren't met, the administration provides feedback on the necessary steps for compliance with the DPF. The U.S. Department of Commerce ("DOC") can also conduct random spot checks to ensure that self-certified businesses adhere to DPF regulations.

For American companies that choose not to certify under the DPF, transfers of personal data from the EEA require an alternative legal basis. In practice, such transfers will likely continue to rely on SCCs, and the adoption of DPF will also have an impact on such transfers. This is because the EU Commission's acceptance of the USA's revised privacy and surveillance rules is based on a Presidential Executive Order which limits intelligence agencies' access to personal data in accordance with what is necessary and proportionate for national security protection. As the Executive Order applies to all types of data transfers, it also impacts the security of data transfers through SCCs and other alternative transfer mechanisms. Hence, the EU Commission's acceptance of American privacy and surveillance rules applies to all types of data transfers from EEA to USA in general.

Datatilsynet has stated that the Commission's assessment of transfers to non-certified companies can be trusted, provided that the American recipient is not bound by any extraordinary rules that imply a greater degree of transparency and surveillance when compared to what applies to ordinary American companies.

NOYB has announced that they will bring the legality of the DPF before the EU Court of Justice. There is reason to assume that NOYB will take such legal actions as soon as transfers based on the DPF occur. It is currently difficult to predict the outcome of such a lawsuit, but a number of well-founded objections have been raised against the new regulations.

Datatilsynet has stated that the framework for transfers will be valid unless and until it is repealed by the EU Court of Justice. However, they clearly state that transfers to USA under the DPF may once again become illegal as a result of a possible Schrems III. Datatilsynet's mention of a possible Schrems III may indicate a more forward-looking supervision of the framework when compared to what happened after Schrems II, as at that time, they were clear that transfers that were initiated before Schrems II were assessed somewhat more leniently than transfers that were initiated after the decision. For transfers to USA, it may therefore still be appropriate to think about how a "roll-back" can possibly take place.

Furthermore, it is worth noting that the EU Court of Justice would likely expedite its processing of a lawsuit from NOYB , and that a decision in the case could be reached much faster than Schrems I and Schrems II which took several years.

Since the DPF only covers transfers of personal data from the EEA to the USA, it does not impact how data is transferred to other jurisdictions. Therefore, the DPF does not practically affect transfers of personal data to other major IT countries outside the EEA, meaning such transfers still rely on alternative mechanisms such as SCCs.