On July 11th, 2023, the new agreement on the transfer of personal data between the EU and the US was adopted, the EU-US Data Privacy Framework or DPF for short. This agreement aims to facilitate the transfer of personal data from the EU to the US by guaranteeing that participating US companies comply with EU data protection rules through the “new” certification.
Timewise, this new adequacy decision, replacing the previous Privacy Shield, comes almost three years to the day after it was invalidated by the European Court of Justice (ECJ) in July 2020 in the so-called Schrems II decision. From 2016 to 2020, the Privacy Shield was the guarantee for certified US companies to comply with EU data protection requirements. Ultimately, it was invalidated because companies were still legally obliged to cooperate with US authorities requesting personal data – especially with intelligence agencies. This also included the data of European customers and citizens.
In the last three years, all parties involved then made the elaborate switch to standard contractual clauses, which now had to secure the transfers. Updating the clauses in 2021 did not make it any easier, as existing contracts had to be adapted again.
Now, just a few months after the publication of the first draft, the DPF is final. The European Union has thus issued an adequacy decision not for the USA itself, but for US-based and certified companies. This is to be renewed annually. As sufficiently reported in the data protection community, some regulations are still vague. For example, an executive order can be invalidated simply through a signature by any future president, and when it comes to the terms proportionality and necessity, opinions once again differ on both sides of the Atlantic. Although the word proportionality was included, there are differing opinions on the meaning and interpretation of the word “proportionality”.
The certification procedure has now been published. On closer examination of the publication of the Department of Commerce, it is clear that, as before, it is a simple self-certification of the companies. All that is needed is a publicly disclosed privacy policy, a complaint mechanism with an independent third party and a commitment to security in processing, liability, accountability, data integrity and purpose limitation, as well as compliance with data subjects’ rights, such as the right of access and erasure. When it comes to the understanding of opt-in and opt-out, there is already a difference between the two. Whereas in Europe an opt-in, i.e. clear consent, applies, in the States an opt-out, i.e. clear objection, must be offered. Privacy by default actually works differently.
The hurdle for obtaining a DPF certification is therefore to be regarded as extremely low. At the time of writing, over 2600 companies were already on the list of certified companies, including large tech companies that are still frequently fined in the European Union for various violations. The threshold is therefore barely a step.
Before the framework was finalised, both the European Data Protection Board (EDSA), which represents all data protection authorities in the EU, and the EU Parliament assessed the draft. Both welcomed the basic intention, but levelled considerable criticism at the draft that would eventually become the final form of the agreement. Part of the criticism related to the lack of legal certainty, key words being the executive order and proportionality. In addition, there was also criticism of the lack of clarity and certainty regarding the principles for intelligence services, as well as the lack of information on how these principles would be implemented by the October 2023 deadline. Finally, the complaints mechanism was also criticised for its lack of transparency. All points of criticism have already been confirmed by NOYB, the association behind Max Schrems, which is already preparing a new application to the ECJ.
In view of the weaknesses mentioned and the very low threshold of self-certification, the DPF will in all likelihood also be invalidated within the next few years and once again lead to difficulties and uncertainties for data transfers to the USA.
Long-term legal certainty for European companies and our customers looks different. Data protection remains exciting.