Transferring personal data under the EU-US Data Privacy Framework

4 October 2023
Starting in July 2016, US companies relied on the EU-US Privacy Shield to transfer personal data across the Atlantic in compliance with EU rules. In July 2020, however, the European Court of Justice invalidated the Privacy Shield over worries about US government surveillance practices.

In the wake of the ECJ’s 2020 ruling, defining a “compliant” mechanism for transferring data from the EU to the US has not been easy. In short, the invalidation created legal uncertainties for organisations in the US and the EU.

These uncertainties, and a desire for stakeholders to find a satisfactory data-transfer solution, led to the development of the EU-US Data Privacy Framework, or DPF. The European Commission deemed the Data Privacy Framework adequate on 10 July 2023. In its decision, the EC concluded that the US “ensures an adequate level of protection — compared to that of the EU — for personal data transferred from the EU to US companies participating in [the DPF].”

This article provides background information on EU-US data transfer compliance, summarises the new Data Privacy Framework, outlines steps organisations should take to comply, and explains why the EC’s decision may not be final.

Background: The EU-US Privacy Shield Framework

The EU-US Privacy Shield Framework was introduced in 2016 to help US companies comply with the GDPR when transferring personal data from the EU. The framework allowed US companies to certify their compliance with the GDPR — and guarantee equivalent data protection to that provided in the EU — when making transfers from the EU to the US.

In 2020, the European Court of Justice struck down the Privacy Shield in its Schrems II case. The case was brought by an Austrian privacy activist named Max Schrems, who questioned the validity of privacy protections covering the processing of data from Facebook Ireland to Facebook USA. The 2020 ECJ decision in Schrems II deemed the Privacy Shield invalid due to insufficient protection against potential US government access to information belonging to European citizens.

Fallout from the Schrems II ruling and the risks of non-compliance

Transatlantic data transfers were greatly affected by the ECJ’s ruling because thousands of companies had used the Privacy Shield to achieve compliance with EU rules. After Schrems II, companies that relied on the framework had to review their data transfer practices and consider alternative options to comply with EU data protection regulations.

One solution involved implementing International Personal Data Processing and Transfer Agreements that incorporate EU standard contractual clauses (SCCs). Many transfer agreements with SCCs between US and EU companies remain in place, but they are complex, running to dozens of pages.

Regardless of the mechanism used, one thing is certain: the risks of non-compliance with EU data privacy laws are significant. To take one prominent example, the EU fined Meta 1.2 billion euros in May 2023 for unlawfully transferring personal data from the EU to the US. Under the GDPR, fines can be up to 20 million euros or up to 4 percent of a company’s global turnover of the preceding fiscal year.

The countries involved in the new Data Privacy Framework

The Schrems II ruling created a need for a new framework to transfer data from the EU to the US while addressing concerns raised by the ECJ. In July 2023, after years of negotiations, the US government and the European Commission unveiled the EU-US Data Privacy Framework.

Under the revamped framework, personal data can flow compliantly from the EU to US companies without additional data protection measures.

It should be noted that the DPF allows compliant personal data transfers to the US from the entire European Economic Area — that is, EU member states, Iceland, Liechtenstein and Norway. As we’ll see in the next section, the UK and Swiss governments also plan to use the DPF as a mechanism to transfer data to the US.

It’s also important to put the DPF in the context of other EU adequacy decisions. The decisions determine which countries outside the EU have an adequate level of data protection per the European Commission. The EC maintains a list of countries that are recognised as providing adequate protection on its adequacy decisions page. 

Steps US companies should take to comply

To participate in the EU-US Data Privacy Framework, US companies must self-certify, publicly commit to comply with the EU-US DPF Principles, develop a DPF-compliant privacy policy, and take certain other steps. US companies can self-certify at Companies must recertify annually, confirming that they follow the framework’s principles. 

US companies can also use the DPF to self-certify compliance with the UK Extension to the EU-US DPF and to the Swiss-US DPF Principles, which will allow for compliant data transfers to the US from those jurisdictions. However, US companies may not rely on these mechanisms to receive personal data until the UK government and the Swiss government deem the mechanisms adequate. At the time of this article’s publication, the Swiss adequacy decision had not been made. The UK government submitted the regulation to Parliament on 21 September 2023, and it will take effect 12 October 2023.

As mentioned, to comply with the DPF, US companies must update their privacy policies. Updated policies should emphasise a company’s adherence to the EU-US Data Privacy Framework principles and to the UK and Swiss data privacy principles, if applicable.

Updating policies can be a demanding task, even for those companies that participated in the now-invalid Privacy Shield. In those cases, merely changing the program's name in the privacy policy from "Privacy Shield" to "Data Privacy Framework" will not suffice. Companies must tailor their policies to fit their unique situations and ensure alignment with the new DPF. In many cases, a company will want to hire a third-party expert to ensure its updated policies promote compliance with EU rules and minimise risk.

Considerations for EU residents and companies

The DPF has been developed to protect the data of EU residents, so it’s worth outlining the DPF’s protections. The new framework ensures:

  • US intelligence authorities have limited access to EU residents’ data
  • US intelligence services will be closely monitored to ensure compliance with limitations
  • There will be an independent and impartial redress mechanism that includes a new Data Protection Review Court to investigate and resolve complaints about access to personal data by US national security authorities

As for EU-based companies, the DPF covers data transfers from any public or private entity in the EEA to US companies that have self-certified.

We recommend that any EU organisation transferring data to a US-based company check the DPF website to ensure the US company has self-certified. If not, the data transfers to that entity must be made under another mechanism, such as an agreement that includes EU standard contractual clauses.

Possible legal challenges and a note on SCCs

The DPF may face legal challenges. Max Schrems has voiced concerns about the new framework, stating that it’s too similar to the invalidated EU-US Privacy Shield Framework. And in September 2023, French lawmaker Philippe Latombe announced his intention to challenge the DPF’s legitimacy.

Challenges from critics like Schrems and Latombe could lead to legal disputes, and if so, those disputes may take years to resolve. In the meantime, organisations that transfer personal data from the EU to the US should familiarise themselves with the new DPF and keep abreast of developments.

Finally, it should be noted that when the ECJ adopted its adequacy decision for the EU-US Data Privacy Framework, it did not invalidate existing EU standard contractual clauses. Remember that the DPF may be challenged and subsequently invalidated. Given that possibility, we recommend that those companies with EU SCCs in place maintain those agreements. The companies should also self-certify under the DPF and update their policies. That way, if the DPF is eventually invalidated, the companies may be able to fall back on their existing SCCs and prevent data-transfer interruptions. DPF-eligible companies that do not have EU SCCs in place now should simply self-certify.