Frequently Asked Questions about the New EU-US Data Privacy Framework

The EU and the US have agreed to a new scheme to help data flow between companies on both sides of the Atlantic. It’s called the EU-US Data Privacy Framework (DPF), and US businesses are already rushing to self-certify under the scheme.

But can European organisations trust the DPF, given the complex and chaotic history around transatlantic data transfers?

This article explains the data transfer fundamentals—and could help you decide whether relying on the DPF is wise in the long term.

What is this EU-US data transfers news all about?

The big news is that thanks to the DPF, the US now has a partial “adequacy decision” after three years without one.

For the past decade, the European Commission and the US government have been trying to find a way to enable organisations in the European Economic Area (EEA) to easily transfer personal data to businesses in the US.

The General Data Protection Regulation (GDPR), like its predecessor law, places strict rules on “international data transfers”—the sharing of personal data by EEA-based organisations with other entities in “third countries” (countries outside of the EEA).

That doesn’t sound very important…

International data transfers are more common than most people realise.

Services operated by Microsoft, Google, Meta, and other tech giants are covered by the law on data transfers.

Personal data cannot leave the control of EEA companies unless certain conditions apply. One such condition is that the data is transferred to a country with an “adequacy decision”—which, as mentioned, the US (partially) got last week. For the third time.

Why has the US had three adequacy decisions?

The US is on its third adequacy decision because the last two were illegal.

Although the Commission (the EU’s executive body) can decide which countries are “adequate”, its previous US adequacy decisions were overturned by the Court of Justice of the European Union (CJEU).

It all began in 2013, when Edward Snowden leaked US National Security Agency (NSA) documents revealing how extensively the US was surveilling people outside of its borders.

Why are you talking about Edward Snowden?

The Snowden revelations kicked off a series of legal challenges that have caused chaos for companies transferring personal data from the EEA to the US.

Similar issues will face the new EU-US DPF. The question is whether the new framework survives where its predecessors failed. We’ll come back to that.

Among other things, the Snowden leaks showed how US national security laws were being used to justify near-unfettered access to Europeans’ data held by Google, Microsoft, and Facebook.

And this was all happening despite the Commission’s US adequacy decision.

The Snowden revelations upset a number of people, including a privacy activist named Max Schrems.

Who is privacy activist Max Schrems and why should I care?

Privacy activist Max Schrems is the man who brought down the first two US adequacy decisions, which covered data transfer frameworks called “Safe Harbor” and “Privacy Shield”.

Following the Snowden revelations, Schrems complained to the Irish Data Protection Commission (DPC) that Facebook should not be exposing him to intrusive surveillance by transferring his personal data to the US.

The Irish DPC (which leads data protection regulation on most US tech firms) rejected the complaint, asserting that it could not interfere because the transfers were covered by an adequacy decision—the Safe Harbor framework.

That assertion transpired to be wrong. Schrems’ case against Facebook and the Irish DPC ended up at the CJEU, which examined Safe Harbor and confirmed that it did not meet EU standards.

What was the problem with Safe Harbor?

The problem with Safe Harbor, according to the CJEU, was that it did not stop the US government from violating the privacy rights of people in Europe.

US businesses participating in Safe Harbor had to promise to abide by the “Safe Harbor Privacy Principles”. Because the US has no meaningful federal privacy law, the Safe Harbor scheme provided some protections for imported EEA data.

But the CJEU ruled that the Commission had missed the point of the “adequacy” process. US public authorities were not bound by Safe Harbor, and could still act with relative impunity despite the scheme.

So Max Schrems was proven right, Safe Harbor was declared illegal, and EEA businesses relying on the framework were given three months to find another way to transfer personal data to the US.

In the meantime, the Commission and the US government negotiated a new and improved framework, called “Privacy Shield”, which was deemed adequate by the Commission in 2016.

But there were issues with Privacy Shield, too.

What were the issues with Privacy Shield?

With Privacy Shield, the US government set up an “Ombudsperson” to hear complaints from people in Europea, and extended certain US privacy rights to Europeans.

The reforms did not go far enough, said Max Schrems, in a case now known as “Schrems II”.

The CJEU once again sided with Schrems, finding, among other problems, that the Privacy Shield Ombudsperson did not meet the EU’s standards for the “right to redress” (the ability to appeal government decisions at a court or tribunal).

The court also took issue with another common data transfer method (which it turned out Facebook was actually using)—”standard contractual clauses” (SCCs).

Essentially, the Schrems II decision meant that organisations using SCCs must conduct a detailed “transfer impact assessment” to ensure they were not exposing people to illegal surveillance by foreign governments—which is virtually impossible for most US data transfers.

You can read more about SCCs here.

So EEA organisations relying on Privacy Sheild once again had to find a new way to transfer personal data to the US.

But they got zero months’ notice this time, and the most obvious alternative transfer mechanism (SCCs) had been rendered practically unusable.

Over the next three years, many businesses existed in data-transfer limbo while Brussels and Washington worked on the next iteration of Privacy Shield—the DPF.

What’s the EU-US Data Privacy Framework (DPF)?

Like its predecessors, the DPF is a self-certification scheme. US businesses can sign up if they agree to meet the scheme’s requirements and recertify annually.

EEA-based organisations can transfer personal data to DPF-certifying US businesses without putting additional safeguards in place.

Together with the DPF, the US government issued an Executive Order that (it hopes) brings US intelligence-gathering practices in line with EU privacy standards—and sets up a Data Protection Review Court that (it hopes) meets the EU’s requirements for appeals.

So EEA businesses can relax on US data transfers?

Completely relaxing on data transfers might be unwise.

Schrems has already begun preparations to challenge the DPF in the same way he challenged the previous two frameworks. If he wins, businesses relying on the scheme will be caught in legal limbo yet again.

While data protection is about more than just avoiding enforcement, we have seen that the EU’s data protection authorities interpret the data transfer rules strictly. Since July 2020:

• Authorities in many EU member states (including Austria, France, Italy, and Finland) have sanctioned website operators for using Google Analytics in defiance of the data transfer rules—including a €1 million fine issued by Sweden this month.
• Other cases involving data transfers include the use of common tools such as the Meta Pixel and Cloudflare’s content delivery network—and even transfers made under an international tax agreement with the US.
• The largest GDPR fine of all time related to data transfers—€1.2 billion against Meta, for continuing to illegally transfer personal data after Schrems II.

But can we use Google Analytics now or not?

As long as the DPF survives, using tools like Google Analytics is no longer inherently illegal, at least not because of the data transfer issue.

A regulator might find other problems with how a website operator implements the Google Analytics—especially if the cookie banner is misleading or if visitors are not asked for consent—or how much data is shared with Google via the tool.

And, as noted, Schrems is going to challenge the DPF. He will argue that the underlying changes to US law do not provide any meaningful improvement to protect the privacy rights of people in Europe.

The case could take years to resolve, and it’s impossible to predict whether the DPF will survive.

But based on past performance, most observers would not bet against Max Schrems.

As such, one sensible long-term strategy might be to insulate your company against the risks associated with international data transfers wherever possible.