The new EU-US agreement on the transfer to the United States of personal data of EU subjects – known as the Data Privacy Framework (“DPF”) – was the subject of an adequacy decision by the EU Commission on July 10, 2023.
With this act of the Commission, the DPF has entered into force and is effective: the transfer of personal data from an EU exporter (more correctly, established in the EEA territory) to a U.S. importer who has registered for the DPF program, no longer requires the adoption of additional safeguards, as it is covered by the adequacy decision (Article 45, GDPR). It is necessary for the self-certification to the DPF to cover the area within the scope of which the subject of the transfer falls.
CJEU decision on the Schrems II case
The DPF became necessary because, in July 2020, the CJEU decision [Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Schrems II)] had invalidated the DPF’s predecessor, the so-called Privacy Shield.
The decision had been adopted following a finding that
- the use and access of personal data of individuals located in the EU by U.S. intelligence authorities did not satisfy the principle of proportionality, and
- no effective appeal mechanisms were in place for EU data subjects to object to the surveillance practices of public law enforcement agencies.
The DPF, basically, is not a new program; rather, it is supplementary to the Privacy Shield, which remains valid in all respects. To be more specific, the Privacy Shield, as a result of the CJEU’s invalidation decision, no longer constitutes an instrument that enjoys the EU Commission’s adequacy decision, but on the U.S. side, it is still a voluntary program that has remained in force. Organizations that are still members of the Privacy Shield, having renewed their self-certification annually, will have the option of automatically transitioning to the DPF by simply having to update their privacy policies with the Statement of Commitment to the DPF and, at the same time, reporting the institutional website address of this program.
The negotiation between the U.S. Department of Commerce and the EU Commission, which led to the approval of the DPF, consisted of addressing the critical observations highlighted by the CJEU in the Schrems II decision, regarding lack of proportionality for U.S. public authorities’ access and the absence of an independent appeal mechanism available to interested parties.