A new report issued in May 2024 by the Centre for European Policy Studies (CEPS), an independent thinktank, is the latest development to cause concerns over the EU-U.S. Data Privacy Framework (DPF), predicting that it will likely fail if challenged before the Court of Justice of the European Union (CJEU).
To recap, international data transfers between countries of the European Economic Area and third countries must be “adequately safeguarded,” providing individuals with adequate privacy safeguards. Where a third country has been deemed by the EU Commission to provide an adequate level of protection for personal data (by way of an “adequacy decision”) then such privacy safeguards are considered to be in place by virtue of the national law in the receiving jurisdiction. Where an adequacy decision has not been made, additional safeguards are required with respect to the transfer, such as approved standard contractual clauses being incorporated into the data transfer agreement, essentially pushing EU law onto the non-European data recipient contractually.
The EU and United States have previously attempted to facilitate international data transfers that satisfy EU standards through “partial” adequacy decisions via the so called “Safe Harbor” and “Privacy Shield” frameworks. Under these frameworks, organizations could voluntarily self-certify by committing to comply with additional data protection obligations and thereby receive personal data from Europe without the need for standard contractual clauses or other appropriate safeguards. However, both mechanisms were rejected at the CJEU in its Schrems I and Schrems II decisions, respectively.
The EU-U.S. Data Privacy Framework (DPF) is the third attempt by the EU and United States to implement a data transfer mechanism and was approved following an adequacy decision from the European Commission in July 2023. (See our previous briefing here.)
In this latest report, CEPS casts doubt on how the DPF would fare if its lawfulness were challenged before the CJEU. While the DPF survived its first challenge, brought by French MP Philippe Latombe in September 2023 (in which the CJEU refused to grant interim measures to pause the DPF’s implementation but did not consider validity of the DPF in detail), further challenges seem inevitable. NOYB, for example, the nonprofit organization established by Max Schrems responsible for the successful challenges to the Safe Harbor and Privacy Shield has previously confirmed that it will challenge the DPF.
The report contends that the DPF has failed to implement several crucial legal benchmarks set out in Schrems II. Additionally, the report asserts that the lack of change to U.S. intelligence policy, coupled with the alleged failure to provide adequate redress mechanisms, could limit the DPF’s viability. This is in conflict with the optimism displayed by those who negotiated the new framework, however, with European Commissioner for Justice Didier Reynders previously stating when the DPF was implemented that, “We are very confident to not only implement such an agreement, but to defend such an agreement in all the different procedures that we will have to face.” It will be interesting to see the outcome of the EU Commission’s first review of the DPF, which is due to take place within the first year of its entry into force (i.e., by July 2024).
To summarize, the CEPS report highlights the ongoing friction between the data protection regimes in the EU and the United States and the uncertainty that can face global organizations seeking to transfer data internationally. The DPF remains intact for now, but whether it will be challenged is likely a question of “when” and not “if,” with question marks remaining over whether it could truly withstand such headwinds.
RELATED ARTICLES
eIDAS 2.0: Paving the Way for a Unified Digital Identity Framework in Europe