Transfers of Personal Data to the United States Under the EU-US Data Privacy Framework

3–5 minutes

Written by Kieran Harte

The EU-US Data Privacy Framework (EU-US DPF) is a framework that US-based organisations can certify against, committing to a set of privacy principles. To certify under the EU-US DPF, as well as re-certify annually, organisations must publicly declare their commitment to comply with the principles of the EU-US DPF. The Framework allows self-certified companies that adhere to it and commit to a set of privacy obligations to receive EU personal data without having to put in place additional transfer safeguards. According to the Commission, the Framework addresses all concerns raised by the CJEU, including with respect to access to EU data by US intelligence services.

One of the key elements of the EU-US DPF and one that directly addresses the CJEU’s decision in the Schrems II case is the limitations placed on the access to EU personal data by US surveillance and intelligence agencies. In line with the EU-US DPF, US surveillance agencies will be limited to accessing EU personal data only to what is necessary and proportionate for maintaining national security. US agencies will also be held to stricter data minimisation requirements to lessen the impact on individuals’ privacy.

These safeguards were implemented through an Executive Order (14086) on Enhancing Safeguards for United States Signals Intelligence Activities, signed by President Biden on October 7, 2022. In addition, the Executive Order also provided for enhanced oversight of US intelligence service activities including having “senior-level legal, oversight, and compliance officials” in place to conduct periodic review of intelligence activities to ensure compliance with applicable US law.

Additionally, in a Q&A document, the European Commission stated: “All the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.”

The second key area of the EU-US DPF that directly addresses the CJEU’s Schrems II decision is the establishment of a dual-layered redress mechanism for individuals. The EU-US DPF redress mechanism will be used in cases where personal data collected through US signals intelligence violates applicable privacy laws.

The first layer of the redress mechanism provides the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) power to conduct investigations into complaints to determine whether non-compliance with the EU-US DPF or other US laws has occurred. The second layer empowers the Attorney General to establish a Data Protection Review Court (DPRC) which will provide an independent review of the CLPO’s decision.

Background information

The European Commission adopted an adequacy decision on the EU-US DPF on July 10, 2023, which introduced binding safeguards for the protection of personal data when transferred between the EU and the US. The framework was the product of over 18 months of negotiations between the European Commission and the US Department of Commerce following the invalidation of the previous framework (the EU-US Privacy Shield) and aims to facilitate the ongoing flow of personal data between the two jurisdictions.

Following the adoption of the adequacy decision by the European Commission, organisations can certify against the framework to restore EU-US data flows without the need for additional safeguards (although it is still best practice to perform a Transfer Impact Assessment (TIA) and decide whether further safeguards are appropriate.).

The EU-US DPF is subject to periodic review by the Commission, EU Data Protection Authorities, and authorities in the US, the first of which will take place 12 months after the framework enters into force.

The EDPB (European Data Protection Board) adopted an information note for individuals and entities transferring data to the United States on 19 July 2023.

The aim of the note is to provide some clarity on the implications of the Adequacy Decision for data subjects in the EU and for entities transferring personal data from the EU to the US. It also provides concise and objective information regarding the redress mechanisms available under the Data Privacy Framework (DPF), and the new redress mechanism in the area of national security.

The information note clarifies that transfers based on adequacy decisions do not need to be complemented by supplementary measures. Transfers to the United States that are not included in the ‘Data Privacy Framework List’ will require appropriate safeguards, such as standard data protection clauses or binding corporate rules.

More ICS News

Read more ICS News

Become a Member
ADPO News
HISI News
IASA News
itSMF News
Irish Digital Skills & Jobs Coalition News
EU Tech Policy News
AI Policy News

Discover more from Irish Computer Society

Subscribe now to keep reading and get access to the full archive.

Continue reading