In the wake of the ECJ’s 2020 ruling, defining a “compliant” mechanism for transferring data from the EU to the US has not been easy. In short, the invalidation created legal uncertainties for organisations in the US and the EU.
These uncertainties, and a desire for stakeholders to find a satisfactory data-transfer solution, led to the development of the EU-US Data Privacy Framework, or DPF. The European Commission deemed the Data Privacy Framework adequate on 10 July 2023. In its decision, the EC concluded that the US “ensures an adequate level of protection — compared to that of the EU — for personal data transferred from the EU to US companies participating in [the DPF].”
This article provides background information on EU-US data transfer compliance, summarises the new Data Privacy Framework, outlines steps organisations should take to comply, and explains why the EC’s decision may not be final.
Background: The EU-US Privacy Shield Framework
The EU-US Privacy Shield Framework was introduced in 2016 to help US companies comply with the GDPR when transferring personal data from the EU. The framework allowed US companies to certify their compliance with the GDPR — and guarantee equivalent data protection to that provided in the EU — when making transfers from the EU to the US.
In 2020, the European Court of Justice struck down the Privacy Shield in its Schrems II case. The case was brought by an Austrian privacy activist named Max Schrems, who questioned the validity of privacy protections covering the processing of data from Facebook Ireland to Facebook USA. The 2020 ECJ decision in Schrems II deemed the Privacy Shield invalid due to insufficient protection against potential US government access to information belonging to European citizens.
Fallout from the Schrems II ruling and the risks of non-compliance
Transatlantic data transfers were greatly affected by the ECJ’s ruling because thousands of companies had used the Privacy Shield to achieve compliance with EU rules. After Schrems II, companies that relied on the framework had to review their data transfer practices and consider alternative options to comply with EU data protection regulations.
One solution involved implementing International Personal Data Processing and Transfer Agreements that incorporate EU standard contractual clauses (SCCs). Many transfer agreements with SCCs between US and EU companies remain in place, but they are complex, running to dozens of pages.
Regardless of the mechanism used, one thing is certain: the risks of non-compliance with EU data privacy laws are significant. To take one prominent example, the EU fined Meta 1.2 billion euros in May 2023 for unlawfully transferring personal data from the EU to the US. Under the GDPR, fines can be up to 20 million euros or up to 4 percent of a company’s global turnover of the preceding fiscal year.
The countries involved in the new Data Privacy Framework
The Schrems II ruling created a need for a new framework to transfer data from the EU to the US while addressing concerns raised by the ECJ. In July 2023, after years of negotiations, the US government and the European Commission unveiled the EU-US Data Privacy Framework.
Under the revamped framework, personal data can flow compliantly from the EU to US companies without additional data protection measures.
It should be noted that the DPF allows compliant personal data transfers to the US from the entire European Economic Area — that is, EU member states, Iceland, Liechtenstein and Norway. As we’ll see in the next section, the UK and Swiss governments also plan to use the DPF as a mechanism to transfer data to the US.
It’s also important to put the DPF in the context of other EU adequacy decisions. The decisions determine which countries outside the EU have an adequate level of data protection per the European Commission. The EC maintains a list of countries that are recognised as providing adequate protection on its adequacy decisions page.
Steps US companies should take to comply
US companies can also use the DPF to self-certify compliance with the UK Extension to the EU-US DPF and to the Swiss-US DPF Principles, which will allow for compliant data transfers to the US from those jurisdictions. However, US companies may not rely on these mechanisms to receive personal data until the UK government and the Swiss government deem the mechanisms adequate. At the time of this article’s publication, the Swiss adequacy decision had not been made. The UK government submitted the regulation to Parliament on 21 September 2023, and it will take effect 12 October 2023.
As mentioned, to comply with the DPF, US companies must update their privacy policies. Updated policies should emphasise a company’s adherence to the EU-US Data Privacy Framework principles and to the UK and Swiss data privacy principles, if applicable.
Considerations for EU residents and companies
The DPF has been developed to protect the data of EU residents, so it’s worth outlining the DPF’s protections. The new framework ensures:
- US intelligence authorities have limited access to EU residents’ data
- US intelligence services will be closely monitored to ensure compliance with limitations
- There will be an independent and impartial redress mechanism that includes a new Data Protection Review Court to investigate and resolve complaints about access to personal data by US national security authorities
As for EU-based companies, the DPF covers data transfers from any public or private entity in the EEA to US companies that have self-certified.
We recommend that any EU organisation transferring data to a US-based company check the DPF website to ensure the US company has self-certified. If not, the data transfers to that entity must be made under another mechanism, such as an agreement that includes EU standard contractual clauses.
Possible legal challenges and a note on SCCs
The DPF may face legal challenges. Max Schrems has voiced concerns about the new framework, stating that it’s too similar to the invalidated EU-US Privacy Shield Framework. And in September 2023, French lawmaker Philippe Latombe announced his intention to challenge the DPF’s legitimacy.
Challenges from critics like Schrems and Latombe could lead to legal disputes, and if so, those disputes may take years to resolve. In the meantime, organisations that transfer personal data from the EU to the US should familiarise themselves with the new DPF and keep abreast of developments.
Finally, it should be noted that when the ECJ adopted its adequacy decision for the EU-US Data Privacy Framework, it did not invalidate existing EU standard contractual clauses. Remember that the DPF may be challenged and subsequently invalidated. Given that possibility, we recommend that those companies with EU SCCs in place maintain those agreements. The companies should also self-certify under the DPF and update their policies. That way, if the DPF is eventually invalidated, the companies may be able to fall back on their existing SCCs and prevent data-transfer interruptions. DPF-eligible companies that do not have EU SCCs in place now should simply self-certify.
How can we help?
The contents of this article are intended for informational purposes only. The article should not be relied on as legal or other professional advice. Neither Vistra Group Holding S.A. nor any of its group companies, subsidiaries or affiliates accept responsibility for any loss occasioned by actions taken or refrained from as a result of reading or otherwise consuming this article. For details, read our Legal and Regulatory notice at: http://www.vistra.com/notices . Copyright © 2023 by Vistra Group Holdings SA. All Rights Reserved.
Domiciling funds in Luxembourg for EU market access: What fund managers should know
30 Nov 2023
Luxembourg has long been a prominent player in the alternative investment market and is the top domiciliation choice in Europe and one of the most popular globally. The country is poised to become…
The basics of customs duties for multinational organisations
22 Nov 2023
Vistra appoints Frank Roden as Country Managing Director, Vistra Luxembourg
21 Nov 2023
Transitioning from equity to credit in private markets
16 Nov 2023
The benefits of outsourcing fund administration
08 Nov 2023
How to prepare for the EU’s BEFIT initiative
01 Nov 2023