Data Privacy Framework: What Are the Implications?
The Insight from… Pierre-Eric Bénéteau, Partner Analytics and Digital Products
With over fifteen years of experience at the intersection of marketing and data, Pierre-Eric joined Converteo shortly after its founding. Currently, as a Partner in the Analytics & Digital Products practice and lead for the Privacy offering, Pierre-Eric assists major companies in ensuring compliance with their data collection frameworks.
After three years of uncertainty, on July 10, 2023, the European Commission adopted a decision of adequacy for the EU-U.S. data protection framework. Similar to the Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in 2020, this framework aims to allow any European entity to transfer personal data from the EU to certain U.S. organizations without specific restrictions.
Key Takeaways:
- On July 10, 2023, the European Commission adopted a decision affirming that the United States provides a level of personal data protection equivalent to that of the European Union. This decision took effect immediately upon adoption.
- The new framework allows European companies to use solutions provided by certified U.S. companies once again. However, appeals to this decision before the Court of Justice of the EU are anticipated, and the stance of European data protection authorities regarding the use of specific solutions and services remains uncertain.
- The decision follows a thorough analysis of U.S. laws on data access by authorities and the new remedies available to affected Europeans.
- Criticism has already been voiced, notably by the organization Noyb, which points out similarities with the Privacy Shield and the retention of the FISA 702 regulation, deemed disproportionate by the CJEU in the Schrems II ruling.
What are the implications for European businesses?
An adequacy decision is a decision adopted by the European Commission under Article 45 of the GDPR, certifying that a country outside the European Union ensures an adequate level of protection for personal data. Such a decision takes into account the country’s domestic legislation, its supervisory authorities, and its international commitments.
Regarding the United States, the adequacy decision involved a thorough analysis of the EU-U.S. Data Privacy Framework (“DPF”) by the European Commission. Like the Privacy Shield, this DPF is based on a certification system where U.S. organizations commit to adhering to a set of privacy protection principles.
Such a decision allows European companies to transfer personal data to businesses located in the United States without requiring additional safeguards.
This new framework will notably enable European businesses to use solutions provided by certified U.S.-based companies (such as Google Analytics, whose use was challenged by the CNIL in February 2022 due to Google’s compliance with U.S. intelligence laws and inadequately regulated transfers to the United States).
What are the implications for American businesses?
Companies based in the United States will be able to receive and process personal data from Europeans, provided they are certified. To obtain certification, they must provide certain information to the U.S. Department of Commerce (“DoC”), such as a description of their processing purposes, the data being processed, and the mechanism for independent recourse.
U.S. organizations certified under the Privacy Shield must update their privacy policies by October 10, 2023, but do not need to re-certify to participate in the DPF and can immediately receive personal data from the EU.
Additionally, certified organizations must be subject to the investigative and enforcement powers of the Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DoT”) and must renew their certification annually to maintain adherence to the established principles.
What to expect in the coming weeks?
The adequacy decision, adopted despite the reluctance of the EDPB and the European Parliament, remains controversial and may be referred to the CJEU in the coming months. Indeed, several data protection experts, including Max Schrems, have pointed out that FISA 702 regulations, which the CJEU deemed disproportionate under the Charter of Fundamental Rights of the European Union, remain unchanged, and the United States has refused to reform them. The Noyb association has already planned to file a legal challenge with the CJEU.
What the Adequacy Decision Contains
In its adequacy decision of July 10, 2023, the Commission first ensured that each personal data protection principle outlined in the GDPR is reflected in the DPF. This includes principles such as purpose limitation, data minimization, security, and accuracy, embodied in the “Data Integrity and Purpose Limitation Principle” and the “Security Principle,” which provide provisions similar to those in the GDPR.
In addition to the information required by the GDPR under the transparency principle, the “Notice Principle” mandates certified organizations to provide certain DPF-related information, such as available recourse mechanisms and the list of certified organizations.
The rights of data subjects, such as the right to access, information, rectification, or erasure, are encompassed in the “Access Principle.”
Subsequent data transfers are governed by the “Accountability for Onward Transfer” principle, which requires that onward transfers only occur: (i) for a limited and specific purpose, (ii) based on a contract between the certified organization and the third-party recipient, and (iii) only if this contract requires the third party to provide the same level of protection as guaranteed by the DPF principles.
The European Commission then reviewed the various avenues of recourse available to individuals affected by personal data processing. These individuals can choose to file a complaint directly with the certified organization in question, with an independent dispute resolution body designated by the certified organization, with national European data protection authorities, with the DoC, or with the FTC. If none of these available recourse options satisfactorily resolves the complaint, the individual can invoke the right to binding arbitration.
The Commission also assessed the limitations and new safeguards provided by U.S. law regarding access to data by U.S. public authorities. To address the issues raised by the CJEU in its Schrems II ruling, the United States adopted Executive Order 14086 on October 7, 2022, titled “Enhancing Safeguards for U.S. Signals Intelligence Activities,” complemented by regulations related to the Data Protection Review Court (DPRC). According to the Commission, these texts establish:
- Binding safeguards that limit access to data by U.S. intelligence services to what is necessary and proportionate to protect national security,
- Enhanced oversight of U.S. intelligence activities to ensure compliance with the limits imposed on surveillance activities,
- The establishment of an independent and impartial recourse mechanism through the creation of the DPRC, responsible for reviewing and resolving complaints regarding access to data by U.S. national security authorities.
With contributions from: Agathe Albenque, Véronique Chupin, Julien Ribourt