INTRODUCTION
The European Union (hereinafter referred to as “EU”) and United States of America (hereinafter referred to as “US”) entered into an agreement for efficient data exchange called Data Privacy Framework (hereinafter referred to as “DPF”) on 10th July, 2023. The DPF is pursuant to the longstanding disagreement between the EU and the US needs to be ensuring higher standard of protection of the data which is being collected by US companies from the EU.
On the basis of the adoption of the new framework on DPF, it is a self-certification programme, which is similar to the previous agreement called the EU-US Privacy Shield which was designed by the U.S Department of Commerce and the European Commission to provide companies with a mechanism to comply with requirements of data protection and transferring of personal data from the EU and Switzerland to the US.
The Court of Justice of the European Union (hereinafter referred to as “CJEU”) had held “the provisions of US laws do not satisfy requirements that are essentially equivalent to those required under EU law and declaring as invalid” in the case of Data Protection Commissioner v. Facebook Ireland, Ltd. and Maximilian Schrems (Case C-311/18) on 16/07/2020 (hereinafter referred to as “Schrems II”) was a landmark case in privacy law and a major impediment to international trade.
Further, the court in the Schrems II judgement held that the EU-US Privacy Shield agreement on transatlantic data transfers failed to provide effective safeguards for the privacy of EU citizens’ data due to the powers vested with US surveillance. EU-US Privacy Shield violated GDPR, which is the EU’s stringent privacy regulation. In lieu of which the President of the European Commission, stated: “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic”
According to Article 45(3) of the General Data Protection Regulation (hereinafter referred to as “GDPR”), the commission has the powers vested with it to decide that a non-EU country ensures the “adequate amount of protection” and the level for protection of personal data is equivalent to the level of protection provided within the EU. Personal data may move freely from the EU to a third nation on the basis of an adequacy decision of GDPR. Thus, the enterprises that adhere to the EU-US DPF can transfer data from any public or private organisation in the European Economic Area to US enterprises.
BACKGROUND OF EU-US DATA EXCHANGE
The DPF would be replacing the EU-US Privacy Shield which was invalidated by the CJEU because of the concerns around Surveillance by the Law Enforcement Agencies of the US . The EU-US Privacy Shield is itself a revised agreement from its predecessor the Safe Harbour Policy. The Safe Harbour Policy was a set of principles that governed the exchange of data between the US,EU and Switzerland, however this came to be held invalid in an earlier ruling by the CJEU.
Therefore, the DPF was framed aiming at providing a safe, efficient, cost-effective and safer way for the transfer of data between the European Union and the United States of America. The DPF is a modification of the Privacy Shield of the EU-US.
IMPLICATION OF THE DPF FRAMEWORK
As compared to the previous ones which included these earlier agreements, the DPF adopted now would be enabling companies that are certified and who are ready and receiving personal data from the European Enterprises Area (hereinafter referred as “EEA”) without relying on EU approved transfer mechanisms such as Standard Contractual Clauses (hereinafter referred to as “SCCs”) or Binding Corporate Rules (hereinafter referred as “BCRs”) or conducting Transfer Impact Assessments (hereinafter referred as “TIAs”). The companies would make legally binding commitments which would have to comply with the Data Privacy Framework Principles.
The European Commission determined that, under the new DPF, the US provides an adequate level of security and safeguard for personal data transmitted from the EU to US firms, similar to that which is already in place in the EU. The DPF establishes new mandatory safeguards which are introduced to address all the problems and concerns which have been raised by the CJEU.
All of the measures which are put into effect by the US government in the realm of national security along with the mechanism of redressal apply to all GDPR applicable data which is transferred to US entities, irrespective of the transfer mechanism chosen by the entity. As a result, these safeguards make it easier to apply other tools, such as standard contractual provisions and binding corporate standards.
According to the reports, for nearly all the companies that are already certified through Privacy Shield since the decision of Schrems II, the new framework on data privacy would allow them to comply with new framework , whereas, the companies who were not holding the Privacy Shield certification would need to initiate the procedure for certification of EU-US DPF from start. The Department of Transportation or Federal Trade Commission of the US would be the certifying authority for the New DPF and the Federal Trade Commerce would have the authority over the companies associated with commerce.
The DPF would hence grant privacy rights to those EU citizens whose data has been moved or transferred to the companies that are participating entities or companies which includes obtaining data access to theirs, removal via deletion or correction of the data which is incorrect or mishandled data. Furthermore, it would also provide channels of redressal for recourse when the data is being mishandled and a panel of arbitration and Alternative Dispute Resolution.
HOW IS PRIVACY DATA FRAMEWORK DIFFERENT FROM PRIVACY SHIELD AND SAFE HARBOUR POLICY?
DPF is a better and upgraded form of the Privacy Council, additionally filling up the lacuna and loop holes of the prior one’s and addressing the serious concerns such as Providing of Access to Judicial Remedy, limiting the powers conferred by Law Enforcements Agencies in US, giving Rights to the people of EU for deletion or taking down of mishandled and ensuring an adequate level of protection of personal data in the US as per which is in line with Article 45(3) of the GDPR.
LEGAL CHALLENGES
The additional measures introduced by the DPF would require the US government to limit access to the personal data by Intelligence Agencies of the US by using the powers vested under Foreign Intelligence Surveillance Act of 1978, as it allows the U.S. Government to target non-U.S. citizens’ communications outside of the United States.
This would increase the level of control over US intelligence services’ activities to guarantee compliance with surveillance activity restrictions and Redressal measures, along with the setting up of the Data Protection Review Court (DPRC), which would all now be available to the EEA citizens.
AMLEGALS REMARKS
The effect of DPF on those companies who are already certified under the Privacy Council would drastically reduce the regulatory obligations. The DPF will also be reviewed by periodic evaluations, which would be conducted by the European Commission in collaboration with representatives of Competent US Authorities and European Data Protection Agencies which would ensure that the provisions of the agreement are up-to-date with the developments in the data collection environment.
The DPF is a new concept that intends to promote transatlantic data transfers while addressing concerns expressed by the European Union’s Court of Justice in the Schrems II judgement.
The DPF would provide the EU citizens an opportunity to data for alteration and deletion if wrongly mishandled which is a step towards betterment and safer use of private data of people by the entities participating in the transfer of data between EU and US.
The DPF is undoubtedly a step towards ensuring the better protection of personal data in cross-border data transfers as it ensures that personal data which is being moved to the US from the EU cannot stay collected indefinitely or accessed by US authorities indiscriminately. Along with these, steps like self-certification by companies would ensure the protection of the rights of EEA subjects would be ensured by the DPF.
Although it is to be seen whether the DPF can stand the test of time it is sure that businesses will face challenges as well as have opportunities under this new data-sharing regime.
– Team AMLEGALS, assisted by Mr. Bhadresh Damor (Intern)
For any query or feedback, please feel free to get in touch with mridusha.guha@amlegals.com or falak.sawlani@amlegals.com