Data Protection Academy » Data Protection News » EU-US Data Privacy Framework
Version as of July 2023
The EU-US Data Privacy Framework
In July 2023, the EU-US Data Privacy Framework (EU-US DPF) between the European Union (EU) and the United States (US) entered into force. The data protection agreement was agreed in 2022 and replaces the Privacy Shield, which was declared invalid by the European Court of Justice in 2020. The EU-US DPF aims to ensure that the data of EU citizens transferred to the US remains subject to the EU's high data protection standards. In the following article, you will learn what companies now need to consider and do. You will also get answers to the most frequently asked questions about the EU-US Data Privacy Framework.
Key information about the EU Standard Contractual Clauses
- On 10 July 2023 the EU-US Privacy Data Framework came into force.
- This is a Data protection agreement between the European Union (EU) and the United States (US).
- The EU-U.S. Data Privacy Framework is the third attempt the EU Commission, after Safe Harbor and EU-U.S. Privacy Shield, the Transfer of personal data to the USA without additional guarantees.
- After the so-called "Schrems II" ruling of the ECJ in 2020, companies lacked the Legal basis for the transfer of personal data to the USA. This legal basis is provided by the EU-U.S. Privacy Data Framework.
- However, the new adequacy decision is not effective enough for data protectionists. A Renewed complaint by data protection activist Max Schrems and his NGO none of your business (noyb) has already been announced.
Content on the subject of EU Standard Contractual Clauses:
Current Status and Emergence of the EU-US Data Privacy Framework
The EU-U.S. Data Privacy Framework (EU-U.S. DPF) is a new data protection agreement between the European Union (EU) and the United States (US). It was announced on 25 March 2022 and entered into force on 10 July 2023 adopted and brought into force by the European Commission.
Here are some of the most important events that led to the Development of the EU-U.S. DPF have led:
- July 2023: The adequacy decision and thus the EU-U.S. Data Privacy Framework is adopted and put into force by the European Commission.
- December 2022: The European Commission shall, based on the Executive Order, submit a draft adequacy decision under Article 45 GDPR before.
- October 2022: Issuance of a Executive Order by the President of the USA.
- March 2022The European Commission and the U.S. government agree on the EU-U.S. Data Privacy Framework.
- 2021: The EU and the US start negotiations on a new data protection agreement.
- 2020: The European Court of Justice (ECJ) declares the Privacy Shield Agreement invalid. The ECJ based its decision on the fact that the agreement does not provide effective protection of EU citizens' data from access by US intelligence services.
- 2016: The European Union (EU) and the United States (US) sign the Privacy Shield Agreement. The agreement aims to allow data to flow between the EU and the US without affecting the data protection rights of EU citizens.
- 2015: The European Court of Justice declares Safe Harbor invalid. The ECJ concluded that the Safe Harbor framework was not sufficient to protect the rights of EU citizens when their data is processed in the US.
- 2020: The Safe Harbor agreement is approved by the EU Commission and was based on EU data protection principles.
Whitepaper EU-U.S. Data Privacy Framework
In the whitepaper EU-U.S. Data Privacy Framework you will find:
- Information on the Origin and background of the EU-U.S. DPF
- Detailed Contents, advantages and criticism on the adequacy decision
- Tips for practical application of the EU-U.S. Data Privacy Framework
Background on the EU-US Data Privacy Framework
Schrems II and the EU-US Data Privacy Framework
The EU-US Data Privacy Framework is a response to the ruling of the European Court of Justice (ECJ) in the case of Schrems II. In this ruling, the ECJ invalidated the EU-US Privacy Shield, an agreement to protect personal data when transferred between the EU and the US. The reason for the invalidity of the Privacy Shield was that it No sufficient guarantees offered for the protection of EU citizens' data from access by US intelligence agencies.
The new data protection agreement is intended to close the gaps that have come to light in the Privacy Shield, which is why the EU-US Data Privacy Framework is also known as the "Privacy Shield 2.0". The Privacy Shield 2.0 contains a number of new provisions to ensure the protection of EU citizens' data in the US. These include limiting access to EU data by US intelligence agencies, creating an independent complaints mechanism and requiring US companies to treat EU citizens' data in accordance with EU data protection standards.
Executive Order on the EU-US Data Privacy Framework
The Executive Order on the EU-US Data Privacy Framework was signed by President Joe Biden on 7 October 2022. An Executive Order (EO) is a legal act issued by the President of the United States. EOs are used to direct and regulate federal administration, and they can also be used to create new federal policy. However, EOs do not have the same authority as laws passed by Congress, and they can be challenged by the Supreme Court.
The EO on the EU-US Data Privacy Framework has two main objectives:
- It aims to restore transatlantic data flows that were disrupted by the European Court of Justice's (ECJ) Schrems II ruling in 2020.
- It aims to create new safeguards for the processing of personal data of EU citizens by US service providers.
Adequacy Decision for the EU-US Data Protection Framework
The Adequacy Decision for the EU-US Data Protection Framework is a legal act of the European Commission that establishes that the US ensures an adequate level of protection for personal data transferred from the EU to US companies.
A Adequacy decision is a legal act of the European Commissionwhich states that a third country (a country outside the European Union) provides an adequate level of data protection for the processing of personal data of EU citizens. The European Commission issues an adequacy decision based on a number of factors, including the third country's legislation, the practices of data processors and the third country's monitoring mechanisms.
If the European Commission adopts an adequacy decision, this means that the processing of personal data of EU citizens in that third country is permitted without additional safeguards. If the European Commission does not adopt an adequacy decision, companies that transfer personal data of EU citizens to that third country must consider further appropriate safeguards (such as standard contractual clauses). If none of the appropriate safeguards are applicable, a transfer of personal data to a third country or an international organisation is only permitted in special circumstances that justify an exception.
Contents of the EU-US Data Privacy Framework
The EU-US Data Privacy Framework is a successor to the Privacy Shield agreement, which was declared invalid by the European Court of Justice (ECJ) in July 2020. The EUDPRF is based on the same basic principles as the Privacy Shield agreement, but also provides additional protections for EU citizens.
Aim of the EU-US Data Privacy Framework
The objective of the EU-US Data Privacy Framework (EU-US DPF) is to Enable transatlantic data transferby ensuring a high level of data protection for the personal data of EU citizens. The framework is based on the principles of lawfulness, fairness and transparency, purpose limitation and data minimisation, data accuracy and storage limitation, integrity and confidentiality, and data subject rights.
The agreement also contains a two-tier redress mechanism that allows data subjects to sue against violations of the law in surveillance by US intelligence agencies.
Regulations of the EU-US Data Privacy Framework
The EU-US Data Privacy Framework (EU-US DPF) contains a number of regulations that govern transatlantic data transfers. The most important regulations are:
- Basic principles: The EU-US DPF is based on the principles of lawfulness, fairness and transparency, purpose limitation and data minimisation, data accuracy and storage limitation, integrity and confidentiality, and data subject rights.
- Legal protection mechanism: The EU-US DPF contains a two-tier redress mechanism that allows data subjects to bring actions against violations of the law in relation to surveillance by US intelligence agencies.
- Supervisory authorities: The EU-US DPF provides for the establishment of two supervisory authorities responsible for monitoring compliance with the framework. One supervisory authority will be established by the EU and the other by the US.
- Surveillance: The EU-US DPF provides for supervisory authorities to monitor companies' compliance with the framework. Supervisors can also impose sanctions on companies that do not comply with the framework.
Basic Principles of the EU-US Data Privacy Framework
The EU-US Data Privacy Framework is based on the following fundamental principles:
- Based on the new framework, data can flow freely and securely between the EU and participating US companies.
- Implement a new set of rules and mandatory safeguards to limit US intelligence agencies' access to data to a level necessary and proportionate to protect national security; US intelligence agencies will establish procedures to ensure effective oversight of new standards in data protection and civil liberties
- A new two-tier redress system to investigate and resolve complaints from Europeans about US intelligence agencies' access to data, including a data protection review tribunal
- Strict obligations for companies processing data transferred from the EU, including the requirement of self-certification for compliance with the standards, via the US Department of Commerce
- Specific monitoring and review mechanisms
Two-tier redress mechanism of the EU-US DPF
The EU-US Data Privacy Framework contains a two-tier redress mechanism that allows data subjects to sue against breaches of the law in surveillance by US intelligence agencies.
In the first step complaints are investigated by the so-called "Civil Liberties Protection Officer" of the US Secret Service. This person is responsible for ensuring that US intelligence agencies respect privacy and fundamental rights.
In the second step data subjects have the opportunity to appeal the decision of the Civil Liberties Protection Officer to the newly created Data Protection Review Court (DPRC). This court consists of members outside the US government, they have the power to investigate complaints from EU citizens, including obtaining relevant information from intelligence agencies, and can make binding remedial decisions. For example, if the DPRC finds that the data collection was done in violation of the protections provided in the Executive Order, it can order the data deleted.
The two-tier redress mechanism of the EU-US DPF is controversial. Some experts criticise that the mechanism is too weak and that it is difficult for data subjects to take action against violations of the law. Other experts argue that the mechanism is an important step towards strengthening data protection for transatlantic data transfers.
Scope of the EU-US DPF and implications for standard contractual clauses and Binding Corporate Rule
All national security safeguards put in place by the US government (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other instruments, such as standard contractual clauses and Binding Corporate Rules. This means that a data transfer is also possible to companies that are not certified via the list of the U.S. Department of Commerce, insofar as the company implements other appropriate safeguards.
Companies that base their data exchange on the Standard Contractual Clauses (SCC), for example, can continue to do so, but must carry out a mandatory Transfer Impact Assessment (TIA).
Significance of the EU-US Data Privacy Framework
The EU-US Data Privacy Framework restores the transatlantic data flows that were disrupted by the European Court of Justice's (ECJ) Schrems II ruling in 2020. Since then, there has been much uncertainty for businesses when transferring personal data of EU citizens to US service providers. The Framework now aims to facilitate transatlantic data transfers again and protect the rights of EU citizens when their personal data is processed in the US.
The EU-US DPF is therefore an important step towards strengthening data protection for transatlantic data transfers. However, it remains to be seen whether the framework will be accepted by the courts.
According to Press release of the European Commission, the Framework is intended to promote transatlantic data flows and to implement the principles set out by the Court of Justice of the European Union in the Schrems-II-The new framework, according to the European Commission, represents an "unprecedented commitment by the US to reforms that will protect privacy and civil liberties in signal intelligence by the US". The new framework, according to the European Commission, represents an "unprecedented commitment by the US to reforms that will strengthen the protection of privacy and civil liberties in US signal intelligence".
What are the advantages of the EU-US DPF?
The advantages of the EU-US DPF are:
- It offers a adequate protection of the data of Europeans transferred to the USA, taking into account the ruling of the European Court of Justice (Schrems II).
- It facilitates the Transatlantic data transfer and provides for secure data flows.
- It shall Legal certainty for companies transferring personal data of EU citizens to the US by providing a permanent and reliable legal basis.
- It Strengthens trust between the EU and the US on data protection.
- It enables a continuous data flow, which supports €900 billion worth of cross-border trade every year.
- It promotes the competitive digital economy and the economic cooperation.
Criticism of the EU-US DPF?
While the EU-US DPF is an important step towards strengthening transatlantic data transfer, it is also subject to criticism. Some of the criticisms are:
- The two-tier redress mechanism is controversial and it is unclear whether it will be accepted by the courts. Therefore, it is controversial whether the framework is really legally secure.
- US intelligence agencies still have powers to monitor data and it is unclear whether the Framework can effectively limit these powers. The EU-US Data Privacy Framework is not effective enough for many data protectionists.
Data protection activist Max Schrems calls the EU-US Data Privacy Framework a "copy of the failed Privacy Shield". He and his NGO none of your business (noyb) have already published in a Press release announced that it would file a lawsuit again.
Practical application of the EU-US Data Privacy Framework
Certified companies from the USA
The EU-US Data Privacy Framework follows the sectoral approach. This means that personal data may only be transferred to certified companies. This certification is carried out by the U.S. Department of Commerce.
So if an EU company wants to work with a company from the US, it first checks whether this US company is certified. If this is the case, personal data can be transferred to these companies without applying additional data protection safeguards, such as standard contractual clauses (SCC).
Implement the EU-US Data Privacy Framework in 6 steps
1. identify service providers
Identify all US service providers and companies that transfer personal data to the US.
2. check certification
Check whether the company or service provider is listed on the List of the U.S. Department of Commerce listed and thus certified.
3. certified service providers
Check the company's subcontractors: are personal data processed in other third countries? Are there adequacy decisions or other guarantees for them?
4. non-certified service providers
If a service provider or company is not certified, one can first inquire about the status of the company's certification. If the company is not ready to be certified, further guarantees must be provided according to Article 46 GDPR be tested and implemented.
5. adapt privacy policy and cookie banners
Certification in accordance with the EU US Data Privacy Frameworks and the corresponding information on the service provider must be included in the data protection notices (Article 13 & Article 14 DSGVO) must be updated - both in the privacy policy and in the cookie banner.
6. Retain existing standard contract clauses (SCC).
The standard contractual clauses (SCCs) are a legally secure instrument for data transfers even after the EU-US Data Privacy Framework comes into force. In view of the fact that a lawsuit will most likely be filed against the EU-US Data Privacy Framework, you should retain existing SCCs with service providers and continue to develop them. monitor the continued validity of the EU-US Data Privacy Framework.
Video on the EU-U.S. Data Privacy Framework
In the video EU-U.S. Data Privacy Framework you will find:
In July 2023, the EU-U.S. Data Privacy Framework (EU-U.S. DPF) between the European Union and the United States entered into force. The data protection agreement was agreed in 2022 and replaces the Privacy Shield, which was declared invalid by the European Court of Justice in 2020.
Find out how the EU-U.S. Data Privacy Framework came about, what consequences it has for companies in the EU and why you should not terminate your existing standard contractual clauses for the time being in the video by lawyer Richard Bode.
The video is a recording of the Robin Data Hacks from 29 August 2023. The Robin Data Hacks take place online and participation is free of charge. Further information, dates and the opportunity to register.
Conclusion and practical recommendation
The EU-US DPF is still relatively new and it is not yet clear how it will be implemented in practice. Currently, the EU-US Data Privacy Framework facilitates data transfers between the EU and the US.
However, it is already to be expected that legal action will also be taken against the EU-US Data Privacy Framework. It is therefore unclear how long the new adequacy decision will remain in place. This is because there are manageable changes in terms of content compared to the Privacy Shield, meaning that a judgement from the ECJ could be reached more quickly this time. It should also be noted that even certified US companies could work with subcontractors in other third countries. Companies from the EU must check whether there are guarantees for these sub-processors in accordance with Article 46 GDPR.
The SCCs are a legally secure instrument for data transfer even after the EU-US Data Privacy Framework comes into force. We therefore recommend that you retain existing standard contractual clauses (SCC) with service providers for the time being and monitor the development towards the permanent validity of the EU-US Data Privacy Framework.
Further links:
- Link to the full text of the EU-U.S. Data Privacy Framework (English)
- Link to the list of organisations certified by the U.S. Department of Commerce (English)
- Link to the press release of the European Commission of 10 July 2023 (English)
- Link to the Executive Order on the EU-US Data Privacy Framework (EUDPRF) of 7 October 2022 (English)
- Link to the press release of the European Commission of 25 March 2022
- Link to the Transatlantic Privacy Framework Factsheet
- FAQ on the EU-US Data Privacy Framework (English)
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023