It all feels quite familiar, doesn’t it? It was just seven years ago that the privacy world was fixated on the Court of Justice of the European Union (CJEU) and its ruling in the Schrems I case. The decision ultimately led to the downfall of the Safe Harbor framework and gave rise to the EU-US Privacy Shield.
As it happened, the EU-US Privacy Shield would only last four years before a second complaint made by Max Schrems led to the CJEU invalidating the framework in July 2020. In the 12 months following the decision, organizations had to contend with uncertainty over the lawfulness of their data transfers from the EU to the US - some European DPAs ruled that the use of US-based analytics services had become unlawful in the fallout from the decision.
While the European Commission issued revised Standard Contractual Clauses (SCCs) and the European Data Protection Board’s (EDPB) released guidance on supplementary transfer measures, efforts to agree on a new trans-Atlantic data transfer framework that would meet the CJEU’s criteria, continued.
Late in 2022, the European Commission adopted it draft adequacy decision on the EU-US Data Privacy Framework leading to more than six months of deliberations.
So, how is this new framework different from what came before? And, what happens next?
Take yourself back – the year is 2000 and the European Commission is making an agreement with its US counterparts on a mechanism that would protect the personal data of EU citizens transferred to the US by US-based companies. The agreement was built on a self-certification method that allowed companies to declare they are protecting the personal data of EU citizens in line with the terms of the agreement.
For over a decade, organizations relied on the Safe Harbor agreement to move data from the EU to the US without having to rely on SCCs or other contractual obligations. However, in 2013 Edward Snowden revealed classified NSA documents to the wider world which shed light on the US government’s surveillance practices.
A complaint regarding such access was duly issued by Max Schrems to the Irish Data Protection Commission (DPC) regarding Facebook’s data sharing practices from its European office to its US headquarters.
Following an escalation from the DPC to the CJEU, the Safe Harbor agreement was struck down - meaning organizations that relied on the agreement needed to put in place other contractual measures to ensure that personal data was protected to the same standard as provided by the Data Protection Directive.
Less than six months after the invalidation of the Safe Harbor agreement, parties in the EU and US began negotiations over a new framework to offer stronger protections for EU citizens’ personal data. In July of 2016, the European Commission formally adopted the EU-US Privacy Shield – allowing organizations to once again be able to transfer the personal data of EU citizens to the US in reliance of this mechanism.
During this time, Max Schrems had already filed a second complaint with the DPC. On this occasion, focused on Facebook’s use of SCCs to transfer personal data from the EU to the US. Again, the complaint was referred to the CJEU along with 11 questions for the court to address. Among them was whether the recently adopted Privacy Shield was a suitable mechanism for protecting EU personal data from US government agencies.
It wasn’t. On July 16, 2020, the CJEU issued its long-awaited decision in the Schrems II case declaring the EU-US Privacy Shield invalid. The court upheld the use of SCCs but cast serious doubt over their effectiveness as they were being used.
While the invalidation of an EU-US transfer framework was not a new scenario for organizations to contend with, the additional fallout and uncertainty surrounding the validity of SCCs and other transfer mechanisms was.
On November 12, 2020, the European Commission published a set of revised SCCs for public consultation that were adopted in June 2021. Just days later, the EDPB adopted its final recommendations on supplementary transfer measures that highlighted a six-step roadmap which included the need to conduct a Transfer Impact Assessment and identify and implement appropriate supplementary measures for transferring personal data to a third country.
Like in 2015, organizations were once again left having to rethink the way that they approach personal data transfers. Only this time they were also required to update existing contracts with the new SCCs within an 18-month transition period and ensure that supplementary measures were in place to ensure an essentially equivalent level of data protection.
In March 2022, the European Commission announced that an agreement in principle had been reached with the US over a new EU-US Data Privacy Framework – kicking off deliberations about the framework’s particulars.
As part of the draft framework, national surveillance agencies would be held to stricter standards for what personal data they can access and how they can access it. A clearer definition of what is deemed “necessary and proportionate” will help set the guard rails for government access and data subjects will also have access to a multi-layered redress mechanism in cases of non-compliance – an area that was central to the CJEU’s decision to invalidate the EU-US Privacy Shield.
In October 2022, President Biden issued an Executive Order strengthening the safeguards for signals intelligence activities. In December, the European Commission adopted its draft adequacy decision, starting the formal adoption process in the EU. As the framework made its way through the various parties involved in this process it came under different levels of criticism. In February 2023, the EDPB issued its opinion which largely welcomed the improvements made by the framework. However, the EDPB called upon the European Commission to address several areas of the framework including subject rights and onwards transfers. Additionally, the European Parliament adopted a resolution in which it stated that the framework “is an improvement, but not enough to justify an adequacy decision on personal data transfers.”
In the US, the Secretary of Commerce issued a statement declaring that the US has fulfilled its commitments for implementing the EU-US Data Privacy Framework enabling the EU to finalize the agreement.
Following this statement, on July 4, 2023, the European Commission Comitology Committee tabled a written vote on the revised draft adequacy decision – sign off from the Committee being an essential requirement for the Commission to adopt its adequacy decision.
Finally, on July 10, 2023, the European Commission announced that it had adopted its adequacy on the EU-US Data Privacy Framework. The decision restored an important data transfer mechanism for use between the EU and the US and well as introducing limitations on US surveillance agencies’ access to EU personal data and an individual redress mechanism. Initial reaction to the decision was mixed with parties on both sides of the Atlantic welcoming the framework’s impact on EU-US trade, while campaign group noyb claimed that the framework would be back before the CJEU before the end of the year. In response, European Commissioner for Justice, Didier Reynders recommended waiting to assess how effective the framework is in practice before attempting to bring it before the courts.
The framework entered into force on July 11, 2023 and participating organizations are required to adhere to the privacy principles under the EU-U.S. DPF, including the requirement to self-certify through the U.S. Department of Commerce.