Challenging the Data Privacy Framework in the CJEU: What is the Current Position of European Union Regulators and Where Does it Leave US Businesses?

Data Protection agreements between the European Union and the US are essential for successful transatlantic business. However, the data transfer mechanism available and the individual’s right to privacy have always been something of a moveable feast.

EU & US Data Transfers

The agreements between the EU, UK, and the US have been the subject of significant challenge and alteration during the last twenty-three years. Fresh legal actions suggest that there is little sign that this will change in the foreseeable future.

Complying with EU data privacy laws

Businesses want to know they are compliant, so what is the best way to navigate data privacy and stay on the right side of the line in this complex and ever-changing situation?

A Quick View of the Background to Data Transfer Mechanisms between the European Union and the US

Personal data from Europe and the UK does not routinely enjoy the same comprehensive level of protection in the USA.

EU privacy laws prohibit EU-US data transfer unless it is transferred to an organisation or location that offers an adequate level of data protection in line with EU rules. This is referred to as ‘adequacy’.

Transatlantic Personal Data Transfer Mechanisms

There have been different frameworks to facilitate data transfer to the US. First came ‘Safe Harbor’ and then the Privacy Shield, which has sought to protect the data of individuals after it crosses the Atlantic.

GDPR in the US – the “Safe Harbor” Framework

The European Union, in collaboration with the US Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland, created a privacy framework.

US companies could comply by self-certifying that they aligned with the seven principles of European data privacy and Swiss privacy laws protecting their citizens.

In 2000, the European Commission declared they were happy that these principles complied with the European Directive, known as the ‘Safe Harbor Decision’.

However, in October 2015, the Safe Harbor Privacy Principles, also known as the Safe Harbor Privacy Framework, were overturned by the CJEU, and ruled invalid.

The CJEU supported the premise from Austrian lawyer and privacy campaigner Max Schrems that the DPF was invalid because it did not offer adequate protection to consumers in light of the Snowden revelations.

The Snowden Revelations

Edward Snowden worked for the US National Security Agency (NSA). He leaked classified documents in 2013, demonstrating that the NSA and partner agencies collected vast volumes of data from internet activities and phone calls.

Safe Harbor failed because of invasive US surveillance laws.

The EU-US Privacy Shield

The removal of Safe Harbor was the impetus to create a new framework for the movement of transatlantic data – this was called the Privacy Shield and placed a stronger obligation on US companies than the previous Safe Harbor arrangement.

In particular, the EU-US Privacy Shield includes written assurance and commitments regarding data access.

What happened to the Privacy Shield in 2020?

In 2020, the Privacy Shield was also ruled invalid by the CJEU based on the risk of widespread surveillance and spying by US intelligence agencies on EU citizens, and the impact of this surveillance on the fundamental right to data protection for EU citizens.

This decision was known as ‘Schrems II’ because it resulted from a privacy case, again brought by Austrian activist Max Shrems.

Despite invalidating Privacy Shield, the protections provided by the Standard Contractual Clauses (SCCs) were affirmed as sufficient, albeit with an additional requirement to undertake a transfer impact assessment to determine whether additional technical and organisational measures were needed to support the SCCs.

Organisations were left with SCCs being one of the reliable transfer mechanisms universally available to them but with the additional due diligence requirements in relation to risk transfer.

Since the CJEU declared the EU-US Privacy Shield null and void in 2020 and before the latest DPF of 2023, the focus moved to ensuring compliant data protection via contractual agreements and reliance on the European Commission’s Standard Contractual Clauses.

In 2021, the European Commission revised the SCCs and adopted revised and more substantive versions which include the transfer assessment obligation as a contractual commitment.

Organisations were required to use them for all new transfers with effect from 27 September 2021 and replace existing SCCs with the latest versions by 22 December 2022—a significant re-papering exercise for all organisations.

2023 – enter the Data Privacy Framework

The European Union and the US created and agreed on the US Data Privacy Framework on 10 July 2023, designed to control and facilitate data transfers between the EU and the USA.

The European Commission adopted an adequacy decision for this new EU-US DPF.

New conditions seemingly address some of the EU’s data privacy concerns and restrict the way in which US intelligence agencies can find information on EU citizens.

“None of your business” – challenging the Data Privacy Framework

The day the EU-US Data Privacy Framework came into force, an organisation called NOYB announced a legal challenge with a clear intention to take their case to the CJEU.

The basis for this, according to NOYB, is that the new DPF is simply the same as the Privacy Shield in all but name and that the Privacy Shield was a simple rehash of Safe Harbor.

NOYB asserts that little has changed in US law – the US still takes the view that only US persons are worthy of constitutional rights – and the approach adopted by the EU.

Where Does All This Leave Transatlantic Data Transfers?

It seems that relying on the third incarnation of the Data Privacy Framework could be like sitting on a chair with a wobbly leg: sooner or later, it could give way.

For the last twenty-three years, all EU-US data transfers were declared retroactively invalid, so effectively illegal. The writing is on the wall that the current DPF could go the same way, but for the moment, this is still untested in the CJEU.

However, many privacy commentators feel there may be hope for the new DPF. US authorities have put in place new necessity and proportionality limitations on data access for intelligence-gathering purposes.

There are also new oversight and redress mechanisms, including the introduction of a Data Protection Review Court, potentially indicating a more positive alignment with EU requirements.

The European Commission issued questions and answers on how to use the new SCCs and in addition, data protection regulators in France have issued further guidance to support their use.

Whilst a challenge against the DPF gathers force in the CJEU, what does all this mean for businesses transferring data originating in the EEA, UK, and Switzerland to the USA?

Despite the latest European Commission DPF, German Data Protection Authorities (GDPAs), following a coordinated focus audit regarding third-country data transfers, suggest that German companies should still rely on the Standard Contractual Clauses.

This is particularly frustrating for those DPF self-certified organisations when doing business with German counterparts or global organisations that operate in Germany. Additionally, it creates uncertainty for those US organisations considering self-certification for the first time. Is this a process worth investing in?

From a practical perspective, negotiating reliance on the DPF in contravention of the GDPA’s recommendations is an uphill battle.

The GDPAs work proactively with German organisations, often offering ‘no names’ conversations for unofficial indications of their likely direction on particular issues. This contrasts with other countries’ data protection authorities, operating at a distance under local data protection laws.

As a result, German organisations and DPOs are unlikely to deviate from GDPAs recommendations.

SCCs will always be a way to create a workable and safe way forward for EEA, Swiss, and UK data importers to the US, especially if the latest DPF is declared retroactively inadequate and invalid by the CJEU following the challenge from NOYB.

Our advice? If you have SCCs in place and have undertaken the associated transfer due diligence, stick with this approach for now. If you have the flexibility to offer DPF self-certification and SCCs depending on the location of your contract counterparty and/or the personal data being processed, go for it.

Any challenge to DPF will take time and with the new protections in place for data subjects, may yet be thrown out by the European courts.

Frequently Asked Questions

What is NOYB?

NOYB is an acronym that stands for ‘None of Your Business.’ The clue is most definitely in the name.

NOYB is a non-profit organisation based in Vienna. It was co-founded by Austrian lawyer and privacy activist Max Schrems in 2017. NOYB is responsible for the two challenges to the DPF brought so far in the CJEU and potentially a third case.

What is the UK-US Data Bridge?

UK businesses can transfer personal data to US companies and organisations certified to the ‘UK Extension to the EU-US Data Privacy Framework.’ This is called the UK-US data bridge and is an adequacy decision.

UK companies can only rely on this if the US receiving organisation is self-certified to the UK-US Data Bridge and the UK extension to the DPF.

If the US recipient doesn’t participate in the DPF, the data sender in the UK must use another, current safeguard, for instance, the International Data Transfer Agreement or the UK’s Addendum to the EU Standard Contractual Clauses which is a lawful derogation under the UK’s GDPR for data transfer.

Final Thoughts

The one constant in the data protection and privacy landscape is that it is constantly changing – this is a fast-paced and evolving picture, which, for EEA, UK, and Swiss businesses trying to comply, is a headache.

The key to data privacy compliance is undoubtedly to stay proactive, prepared, and informed. Using professional data experts who understand the law and how to comply is essential for many companies and organisations

 

Find out how TechLaB can help you reach your goals with our business-oriented, fast, innovative, multilingual yet detail oriented legal advice

Contact techlab

type your search

TechLaB – Technology Law Boutique: your one-stop shop for global legal services in technology.