European Commission Approves EU-U.S. Privacy Framework

Summary

The European Commission has approved an adequacy decision for the EU-U.S. Data Privacy Framework, recognizing the United States as offering data protection levels equivalent to those within the European Union (EU). The decision permits safe and free transfer of personal data from the EU to the U.S. companies enlisted in the Framework without requiring additional data protection measures. But this has been allowed twice before, only to be invalidated both times…



Short History of Data Sharing Between US And EU:

• Safe Harbor Framework (2000-2015): The EU-US Safe Harbor Framework allowed US companies to receive personal data from EU territories, affirming they complied with the EU’s high privacy standards. This arrangement was invalidated by the European Court of Justice (ECJ) in 2015 in a case known as Schrems I (more on this later), stating it didn't sufficiently protect European citizens against US surveillance.

• EU-US Privacy Shield (2016-2020): To replace Safe Harbor, the EU-US Privacy Shield was established in 2016, again permitting US companies to transfer data from the EU under certain conditions. The agreement faced criticism regarding US surveillance practices, and was ultimately struck down by the ECJ in July 2020 (Schrems II), declaring it did not provide adequate protections for EU citizens.

• “The Framework” (2020-Present): After the invalidation of the Privacy Shield, data transfers have been in legal limbo, with companies often using Standard Contractual Clauses (SCCs) to ensure data protection compliance . . . and that brings us to today.

• Last Week’s Adequacy Decision (July 2023)
  
  

Who Is Max Schrems?

Schrems came to prominence in 2011 while still a law student, when he requested his personal data from Facebook and received a file of over 1,000 pages. This led him to file 22 complaints against the company with the Irish Data Protection Commissioner, as Facebook's European headquarters are in Ireland.

He is the founder of the privacy advocacy group 'None of Your Business' (NOYB), which uses strategic litigation to strengthen data protection laws. Schrems' legal challenges against transatlantic data agreements have twice led to their invalidation by the European Court of Justice. His first case, known as "Schrems I", led to the dismantling of the Safe Harbor Framework in 2015. The second case, "Schrems II", resulted in the invalidation of the EU-US Privacy Shield in 2020. He is primarily concerned with the protection of EU citizens' data from US surveillance. 

The New Adequacy Decision

The new Framework introduces robust safeguards that address concerns previously raised by the European Court of Justice (ECJ). These measures limit U.S. intelligence services' access to EU data, ensuring it is necessary and proportionate. A significant feature is the creation of the Data Protection Review Court (DPRC), which offers access to EU individuals and provides the power to order data deletion in cases of violations. The Framework also obligates U.S. companies importing data from the EU to adhere to these new safeguards.

EU individuals also benefit from various redress avenues in case of mishandling of their data by U.S. companies. This includes free-of-charge dispute resolution mechanisms and an arbitration panel. Additionally, the U.S. legal framework introduces safeguards regarding data access by U.S. public authorities, especially for criminal law enforcement and national security purposes. EU individuals will also have access to an independent redress mechanism concerning data collection and use by U.S. intelligence agencies.

How Does This Affect U.S. Companies?

Companies in the U.S. can join the EU-U.S. Data Privacy Framework by committing to a detailed set of privacy obligations, including the deletion of personal data when it is no longer necessary and ensuring the continuity of protection when data is shared with third parties.

The effectiveness of the EU-U.S. Data Privacy Framework will undergo periodic reviews by the European Commission in collaboration with representatives of European data protection authorities and competent U.S. authorities. The first review will occur within a year of the decision's enforcement to confirm the full and effective implementation of all relevant elements within the U.S. legal framework.

The decision follows the invalidation of the previous adequacy decision on the EU-U.S. Privacy Shield by the ECJ, prompting the European Commission and the U.S. government to negotiate a new framework that addressed the Court's issues. President Ursula von der Leyen and President Biden initially reached an agreement in principle on this new transatlantic data flow framework in March 2022. The adequacy decision was enforced on July 10th, with no time limitation, subject to continuous monitoring and regular reviews.

Isn’t This Just The GDPR Applied to This Transfer?

Well…. yes and no.

The General Data Protection Regulation (GDPR) is a law that was enacted by the European Union to protect the privacy and personal data of EU residents. This regulation applies to all EU member states and any companies, anywhere in the world, that handle the data of EU residents. It imposes a number of requirements on companies, such as providing clear notices to individuals about how their data is being used, obtaining explicit consent for data collection, and implementing appropriate security measures to protect personal data.

The EU-U.S. Data Privacy Framework, on the other hand, is a specific agreement between the European Union and the United States that aims to regulate the transfer of personal data from the EU to the U.S. This framework is meant to provide an additional layer of protection for EU citizens' data that is transferred to the U.S, and it contains specific requirements and mechanisms that U.S. companies must comply with in order to legally receive and process personal data from the EU.

Parting Thoughts: A Little 702 Context

Section 702 is part of the U.S. Foreign Intelligence Surveillance Act (FISA), which was amended in 2008. This section allows the U.S. government to obtain the foreign intelligence information of non-U.S. persons (individuals who are not U.S. citizens and are not located in the U.S.) from electronic communication service providers like telecom companies and internet service providers. This surveillance is performed without a warrant, which has made it a controversial provision hated by U.S. privacy advocates and privacy advocates internationally, such as Max Schrems.

Section 702 has been used by U.S. intelligence agencies to justify large-scale surveillance programs. . So, while the new rule would protect consumers' data from being mishandled by companies, it would not necessarily protect that data from being collected by the U.S. government under Section 702 for foreign intelligence purposes. The protections afforded by the Privacy Protection Rule and the potential intrusion allowed by Section 702 exist in somewhat different legal and practical spheres.

Section 702 is set to expire December 31 of this year, and the debates thus far have centered not around whether to renew (because this is a losing battle for privacy advocates), but rather, how to cabin the powers given to the US intelligence community. I’d imagine preventing access to the data included in this framework is on the top of the shopping list of privacy advocates across the Western World.