Those following developments in transatlantic data transfers breathed a huge sigh of relief on 10 July 2023 when, despite criticisms from some stakeholders, the European Commission adopted an ‘adequacy decision’ in favour of the EU-U.S. Data Privacy Framework. So, what is the DPF, and how does it address the ‘Schrems II’ challenges?
The DPF is a US Executive Order that enhances safeguards around United States signals intelligence activities. This order introduces binding safeguards limiting U.S. intelligence agencies’ access to data to help ensure their access is necessary and proportionate to national security needs.
The DPF also establishes an independent two-layer redress mechanism to resolve European complaints regarding the processing of their data for national security purposes and imposes clear obligations on U.S. companies participating in the framework to adhere to privacy principles.
Its commitment to “essential equivalence” rather than identical data protection measures provides what many consider to be a flexible approach. Also, it reflects the reality that the EU and the US have different approaches to data privacy, with the US relying more heavily on self-regulation as a compliance tool.
Despite many positives, a question mark remains over the resilience and longevity of the DPF. It was subject to criticism from stakeholders, such as the EDPB and the European Parliament, before its adoption, and these criticisms may resurface as its safeguards are tested in practice. The DPF’s ability to withstand scrutiny and challenge largely depends on its effectiveness sin practice, particularly regarding (1) the limitations and safeguards against U.S. intelligence agencies’ access to data and (2) the efficacy the new redress mechanism for Europeans.
Concerning the limitations and safeguards introduced to address the Schrems II finding g
that US intelligence agencies’ access must be “necessary and proportionate”, it’s possible to argue that proportionality is not being applied in a way equivalent to that under EU law. The DPF doesn’t attempt to define these terms, and some have contended that they have only been included to give the impression that the concerns of the CJEU in Schrems II have been fully addressed.
What has Max Schrems had to say about it? Only that he is likely to challenge the DPF. However, with the legal challenge process so protracted, even if the Schrems III wheels are already in motion, it will likely be some time before the CJEU hears any such challenge. As of April 2024, the DPF has 2,778 participants who can continue to rely on the DPF for their transfers to the US for now, and this number will likely continue to grow.
This article is part of our Data Protection Top 10 2024 publication.