The Data Privacy Framework agreement has been in force since July 2023. Following Safe Harbor and the EU-US Privacy Shield, this is now the third attempt to establish a legally secure agreement for the transfer of personal data from the EU to the US. In the following article, we clarify the following questions in particular: What basic principles are laid down in the new data protection agreement? Does the new agreement have what it takes to withstand the counterclaims that are already planned? And how did a third data protection agreement between the EU and the US come about in the first place?
First data protection agreement: Safe Harbor
To prevent data traffic between the European Union (EU) and the US from coming to a standstill in the ever-growing Internet, a special procedure for the transfer of personal data was developed between 1998 and 2000. US companies were able to join the Safe Harbor Privacy Agreement and register on a corresponding list maintained by the US Department of Commerce. In doing so, they committed themselves to recognizing the Safe Harbor Principles. These principles include transparency and purpose limitation in information processing, data security, and the ability to correct the information collected. Safe Harbor became necessary because Directive 95/46/EC of 1995 on data protection prohibited the transfer of personal data from European Union member states to countries whose data protection laws did not offer a level of protection comparable to that provided by EU law. In the Safe Harbor decision in July 2000, the EU recognized that companies that committed to this agreement provided adequate protection for the personal data of EU citizens.
Just one year later, the terrorist attacks of September 11 shook the world and had a long-term impact on the Safe Harbor Agreement and subsequent agreements.
The US Patriot Act, passed in October 2001, gave US intelligence agencies extensive powers to access data from any US company without a court order in cases of suspicion. In the years that followed, this circumstance did not receive much attention. However, with the emergence of and increasing focus on European data protection activists, the NSA scandal of 2013 (the publication of intelligence documents by Edward Snowden) finally brought the situation to a head. It brought extensive espionage activities to light.
As a result, a lawsuit was filed against Safe Harbor before the European Court of Justice (ECJ). In September 2015, the ECJ declared that the relevant regulation was invalid.
Figure 1: Global cloud market distribution by region
Second data protection agreement: EU-US Privacy Shield
A successor agreement was therefore needed to ensure that European companies could legally use the cloud computing market, which is dominated by American companies and has grown enormously in the meantime. Following concessions by the US government under President Obama, such as the possibility for EU citizens to take legal action in the US in the event of a data protection breach, the successor agreement, Privacy Shield, was put into effect by the EU Commission in July 2016. Critics complained from the outset that, apart from a few details, there were no differences to Safe Harbor and warned of uncertainties in the event of a change of government in the US. This change then actually occurred in 2016 with the Trump administration. The Trump administration passed a series of legislative changes, including one that once again excluded non-US citizens from the possibility of taking legal action in the US. A new lawsuit was filed before the EU Court of Justice, and the Privacy Shield agreement was declared invalid in July 2020.
Third data protection agreement Data Privacy Framework
Once again, a follow-up agreement had to be negotiated to provide EU companies with legal certainty when using US cloud services. In order to reach an agreement, the new US administration under Biden first had to issue an executive order instructing the US intelligence services, among others, to limit their access to data to a reasonable extent. This cleared the way for the EU Commission to adopt the Privacy Framework Agreement by means of an adequacy decision pursuant to Art. 45 GDPR. This decision was drafted in December 2022 and finally adopted in July 2023. The framework thus entered into force.
The following basic principles apply:
- Binding safeguards are intended to limit access by US intelligence services. The aim is to ensure that access only occurs when it is necessary and proportionate to safeguard US national security, without disproportionately affecting the rights and freedoms of individuals.
- Procedures will be established to ensure effective monitoring of the new standards.
- A new two-tier appeal system is designed to ensure that complaints from EU citizens about access to data by US intelligence services are investigated and dealt with. A new and independent Data Protection Review Court has been established in the US to conduct judicial reviews.
- US companies that process data transferred from the EU are subject to strict obligations. These include, in particular, confirming compliance with the agreement to the US Department of Commerce by means of self-certification. The principles for this self-certification are based on European data protection law.
Figure 2: Basic principles
For all EU companies that use US cloud services and thereby transfer personal data to the US, the entry into force of the EU-US Data Privacy Framework has brought significant relief. Legal certainty has now been restored. From an economic perspective, this development is very welcome.
But caution is advised! The adequacy decision for the EU-US Data Privacy Framework only applies if the US company to which personal data is to be transferred has the appropriate valid certification. It must therefore be listed on the official website for the new data protection agreement among the US companies that have been certified under the new mechanism and to which personal data may therefore be transferred without further requirements.
If this is not the case, the alternative is to continue to conclude standard contractual clauses and carry out a transfer impact assessment, i.e., a risk assessment for data transfers to unsafe third countries. Standard contractual clauses are model contracts adopted by the European Commission. These models contractually agree on European data protection standards between companies in the European Economic Area and cloud providers in third countries. In view of the uncertain prospects for success of the EU-US Data Privacy Framework, it is advisable not to terminate existing contractual clauses, but to use the framework as a kind of “double safety net.”
Conclusion – Data Privacy Framework agreement
In principle, any data protection agreement that offers legal certainty for EU companies is to be welcomed. From this perspective, the Data Privacy Framework is a step in the right direction. However, the final word has not yet been spoken here either. The data protection activists who already brought down Safe Harbor and Privacy Shield have announced a corresponding lawsuit against the Data Privacy Framework. They are particularly bothered by the vague wording regarding the proportionality of data access by US intelligence agencies and the overall minor differences from Privacy Shield. As long as there is no change in US surveillance law with regard to the Patriot Act, any data protection agreement is on shaky ground. Therefore, when using cloud services from US providers, EU companies should continue to pay attention to precisely defined standard contractual clauses for data processing in non-EU data centers and to a detailed risk assessment for data transfers.
