The European Commission has adopted the adequacy decision for the EU-US Data Privacy Framework after years of talks, but experts have indicated it will struggle to uphold it in court.
In its decision announced on 10 July, the Commission found that the US upholds a level of protection comparable to that of the EU when it comes to the transfer of personal data.
Companies that comply with the extensive requirements of the framework can access a streamlined path for transferring data from the EU to the US without the need for extra data protection measures.
The framework is likely to face legal action and be overturned, according to Nader Henein, research VP of privacy and data protection at Gartner.
“It takes one step closer to what the European Court of Justice needs, but it takes one where the Court of Justice needs it to take five, or ten steps,” Henein told ITPro.
“Maximilian Schrems already said he was going to do it, and if not him someone else will like the EFF or multiple privacy groups. What we’re telling our clients is two to five years, depending on who raises the request, when they raise it, and who they use.”
A potential legal challenge could move more swiftly if the individual complaint was made against a known entity such as Facebook, which was the subject of the Schrems II verdict that took down the old framework known as Privacy Shield.
Schrems has posted a series of tweets comparing the new adequacy agreement to Privacy Shield, and vowed to fight it in the courts.
The "new" EU-US Data Privacy Framework is sooo much a 1:1 copy of the #PrivacyShield -- they even forgot to rename the link in the footer: https://t.co/SyamOFdpSq https://t.co/K68gkM3XTz pic.twitter.com/yB90jbtPixJuly 9, 2023
Henein said businesses are being advised to use the next two years to set up plans that are not dependent on the EU-US Data Privacy Framework, and noted that many firms will be approaching suppliers to demand they protect against more expensive disruption.
The European Commission has stated the framework will be subjected to regular reviews, with a check that the US side of the framework is operating as intended expected within 12 months.
Unlike the EU, which has the GDPR, the US has no federal data protection scheme. It often leans on the fourth amendment, which protects US citizens from “unreasonable searches and seizures” as a precedent for the conduct of law enforcement, but this does not apply to EU citizens.
While the framework is in effect, compliant companies will be able to transfer data without the need for costly additional assessments, which could prove especially beneficial for cross-Atlantic collaboration.
“The EU-US Data Privacy Framework is a positive development in the mission to protect individuals and organizations on both sides of the Atlantic against cyber threats,” said Drew Bagley, VP and counsel, privacy and cyber policy at CrowdStrike.
“Modern IT infrastructure, cyber security, and privacy compliance programs are dependent upon global data flows.
Creating a proactive, risk-aware defence in today's dynamic risk environment
Learn how a common risk management language can improve enterprise resilience
“Data localization is not a substitute for data protection, and the new Framework stands in sharp contrast to some policy and certification proposals that mistakenly prioritize localizing data over protecting would-be victims from breaches.
“This marks an opportunity to accelerate the G7’s Data Free Flow with Trust initiative and ensure defenders have the tools they need to defend against cyber attacks.”
From 2016 to 2020, transfers between the EU and US had been covered by the regulatory framework Privacy Shield. This worked as an adequacy agreement between the EU and US, with the US having promised to oversee the deletion of unneeded data.
In July 2020 the European Court of Justice invalidated Privacy Shield, having ruled that it was not compatible with the rights afforded to non-US citizens regarding surveillance and data collection in the name of national security.
The EU-US Data Privacy Framework seeks to address these concerns with new safeguards in place for EU citizens.
President Biden signed an executive order in October 2022 which brought in new restrictions and measures of redress for intelligence service activities.
One of the foremost concerns with transferring EU data to the US has historically been that US intelligence services would be able to access and use sensitive data belonging to EU citizens.
Under the new agreement, intelligence entities will only be able to access data in a manner proportionate to protecting national security.
Under the framework, EU citizens will also be given access to an impartial, independent mechanism for redress over the use of data by US intelligence agencies overseen by a new Data Protection Review Court (DPRC).
Complaints will be free to make, and citizens will not be required to produce evidence that their data was collected by an intelligence agency in order for the complaint to be looked into.
Ursula von der Leyen, President of the European Commission praised the “unprecedented commitments to establish the new framework” taken by the US.
But Henein argued that there is nowhere near enough transparency, and argued that as the surveillance redress process appears to happen behind closed doors it is unlikely to satisfy privacy concerns.
