by Luca Farkas
The EU-US Data Privacy Framework (EU-US DPF) was developed to support transatlantic trade by offering US organizations a reliable mechanism for personal data transfers from the European Union to the United States that are consistent with EU law.[1] The EU-US bilateral trade surpassed €1.6 trillion in 2023, and the US remains the EU's largest trading partner.[2] Over 2,800 organizations currently participating in the EU-US DPF may receive personal data from the European Union based on the provisions of the Framework.[3] In July 2023, the European Commission adopted its adequacy decision for the framework, concluding that the US provides an adequate level of protection for personal data transferred from the EU to certified US companies.[4]
The adequacy decision for the EU-US Data Privacy Framework (DPF) requires the European Commission to conduct regular reviews of the framework, in collaboration with European data protection authorities and US counterparts.[5] The first periodic review took place in July 2024. Representatives from the European Data Protection Board (EDPB) participated in the review, and their findings were published in a report focusing on two key areas: the commercial aspects of the DPF[6] and the access by US public authorities to personal data transferred from the EU to DPF-certified organizations.[7]
This article summarizes the EDPB’s findings from the first review of the EU-US DPF, explores the potential impact of the new US administration on the Framework, and provides a brief conclusion on the path forward.
Key Findings I: Assessing the Commercial and Regulatory Impact of the DPF
In its report, the EDPB made several key findings regarding the DPF on commercial aspects.
1. Self-certification process:[8] The EDPB found that the US Department of Commerce (DoC) effectively implemented the self-certification process for US companies, including the creation of a new website, updated procedures, and awareness-raising activities. However, it raised concerns about ex officio oversight and structural enforcement actions, both by the DoC, the Federal Trade Commission (FTC) and the Department of Transportation (DoT). While automated compliance checks are being introduced, the EDPB emphasized the need for manual investigations and proactive enforcement. Additionally, the EDPB urged the DoC to better track how companies that withdrew or let their certification lapse handle retained personal data.
2. Complaint handling:[9] The EDPB noted that while the complaint process is functioning, the low number of complaints received from EU individuals raised concerns about its effectiveness. The EDPB recommended that US authorities increase proactive checks and investigations to ensure compliance with the DPF's principles. Additionally, the EDPB called for standardizing the annual reports from Independent Recourse Mechanism (IRM) providers to improve comparability and transparency.
3. Guidance and Cooperation:[10] The EDPB highlighted the publication of guidance by the DoC, the EDPB, and the European Commission, including FAQs, to assist individuals and organizations with DPF compliance. While the EDPB welcomed these efforts, it encouraged the DoC to provide additional practical guidance, especially on the Accountability for Onward Transfer Principle and the interpretation of HR Data under the DPF, as the clarification of these issues is crucial for ensuring consistent application and compliance.
4. Relevant Legal Developments in the US:[11] The EDPB noted significant developments in US privacy law, including the enactment of comprehensive privacy laws in twenty states, with nine already in force While a federal data protection law seems unlikely, the EDPB emphasized its importance for the adequacy decision’s stability. It also welcomed increased FTC enforcement against discrimination in automated systems, noting that 17 states have enacted laws regulating such processing. Lastly, the EDPB acknowledged concerns regarding the US Supreme Court's ruling in Loper Bright Enterprises v. Raimondo, which could impact the FTC's enforcement powers but was reassured by the FTC’s response that its rulemaking authority remains unaffected.
Key Findings II: Assessing the US Public Authorities' Access to Data
The EDPB also offered findings concerning US Public Authorities' Access to Personal Data Under the DPF:
1. Implementation of Necessity and Proportionality under EO 14086:[12] The EDPB acknowledged updates to US intelligence agencies' internal policies following the introduction of Executive Order (EO) 14086, particularly its emphasis on the principles of necessity and proportionality in signals intelligence to safeguard privacy and civil liberties. However, the EDPB expressed concern about the lack of concrete examples of how these principles are being applied in practice by US intelligence agencies.
2. Re-authorisation of Section 702 FISA:[13] The EDPB welcomed recent amendments to Section 702 FISA under the Reform Intelligence and Securing America Act (RISAA), noting improvements in privacy protections. However, it expressed concerns about the expansion of the "electronic communication service provider" (ECSP) definition, which could increase the scope of data collection. The EDPB also highlighted the risks of unclear legal parameters for surveillance and emphasized the importance of monitoring these changes in practice, particularly the application of the broadened ECSP definition and the role of amici curiae in FISA courts.
3. Redress Mechanism:[14] The EDPB acknowledged significant improvements in the US two-layer redress mechanism, including the enhanced independence of the Data Protection Review Court (DPRC) and the appointment of qualified judges. However, it emphasized that the mechanism has yet to be tested in practice, as no complaints have been filed so far. The EDPB called on the Commission to monitor the safeguards and the mechanism, particularly regarding the independence of the DPRC and the standard response process. The EDPB also highlighted the pending annual review by the Privacy and Civil Liberties Oversight Board (PCLOB), which is expected to further assess the system.
4. Government Access to Commercially Available Data:[15] The EDPB expressed concerns over US intelligence agencies acquiring personal data from commercial entities, noting that while these acquisitions are outside the scope of EO 14086, they may circumvent its privacy safeguards. The EDPB emphasized the need for further oversight by the European Commission and stressed that the Accountability for Onward Transfer Principle should be carefully monitored to ensure adequate protection when such data is transferred.
Privacy Under Pressure: Will Trump's Re-election Affect the EU-US Data Privacy Framework?
The re-election of Donald Trump has reignited discussions about the future of the EU-US Data Privacy Framework. While some anticipate minimal changes during his second term, the DPF’s fate remains a contentious issue. The framework itself was established under the Trump administration following the Court of Justice of the EU's invalidation of the Privacy Shield.[16] Despite this, the Biden administration worked to operationalize the DPF through an executive order and implementing regulations, which the incoming administration may reassess critically.[17]
Experts, including John Miller, Senior Vice President of Policy and General Counsel at the Information Technology Industry Council, and Alberto Di Felice, Policy and Legal Counsel at DigitalEurope, suggest that the US's commitments under the DPF are unlikely to change significantly, regardless of who occupies the White House.[18]
However, recent developments have added complexity to the situation. French Member of Parliament Philippe Latombe has called for the suspension of the DPF before Trump returns to office.[19] He expressed concerns that a protectionist US administration could undermine EU interests, particularly due to risks posed by FISA Section 702, which allows US intelligence agencies to access foreign data, potentially compromising European privacy protections. This highlights ongoing concerns about data privacy and the impact of US laws on EU citizens' rights.
The Road Ahead: Ensuring the EU-US Data Privacy Framework’s Continued Success
The first periodic review of the EU-US Data Privacy Framework highlights areas for improvement, particularly in enforcement, proactive oversight, and privacy safeguards in US intelligence practices. While progress has been made, the EDPB’s findings underscore persistent challenges related to the unidirectional flow of data, with concerns that US access to European data is used for both commercial and intelligence purposes. This imbalance raises questions about the adequacy of the current DPF, particularly given the lack of concrete examples of how key privacy principles—such as necessity and proportionality—are being applied in practice by US intelligence agencies.
These gaps suggest that while the GDPR provides a strong foundation for data protection, it does not fully safeguard EU digital sovereignty in the context of transatlantic data flows. Ongoing monitoring and further refinement of the DPF are crucial to address these vulnerabilities. The EDPB has recommended that the next review of the DPF take place within four years,[20] signalling the need for continuous evaluation and adaptation to ensure the framework’s resilience against these challenges.
[1] US Department of Commerce, Data Privacy Framework Program Overview, https://www.dataprivacyframework.gov/Program-Overview, accessed 05.12.2024.
[2] DigitalEurope, First review of the EU-US Data Privacy Framework, 09.09.2024, https://www.digitaleurope.org/resources/first-review-of-the-eu-us-data-privacy-framework/.
[3] European Data Protection Board (EDPB), Report on the First Review of the European Commission Implementing Decision on the Adequate Protection of Personal Data under the EU-US Data Privacy Framework, adopted 04.11.2024, hereinafter: EDPB, First Review Report, page 7.
[4] European Commission, Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows, Press Release, 10.07.2023, https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.
[5] European Commission, Commission Implementing Decision of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the Adequate Level of Protection of Personal Data under the EU-US Data Privacy Framework (“Adequacy Decision”), C(2023) 4745 final, 10.07.2023, Article 3.
[6] EDPB, First Review Report, page 6.
[7] Ibid., page 11.
[8] Ibid., pages 6-7.
[9] Ibid., pages 7-8.
[10] Ibid., pages 8-9.
[11] Ibid., pages 9-10.
[12] Ibid., pages 11-14.
[13] Ibid., pages 14-17.
[14] Ibid., pages 17-19.
[15] Ibid., pages 19-20.
[16] CJEU, “Schrems II” judgment of 16 July 2020 in case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, ECLI:EU:C:2020:559.
[17] IAPP, Jedidiah Bracy, What the US election results may mean for digital policy, 07.11.2024, https://iapp.org/news/a/what-the-us-election-results-may-mean-for-digital-policy/; IAPP, Alex LaCasse, European Commission report reviews progress of EU-US DPF, 09.10.2024, https://iapp.org/news/a/european-commission-report-reviews-progress-of-eu-us-dpf, hereinafter: IAPP, LaCasse, European Commission Report on DPF.
[18] IAPP, LaCasse, European Commission Report on DPF.
[19] Brussels Signal, Anne-Laure Dufeal, French MP urges EC chief to suspend EU-US data privacy framework over Trump concerns, 15.11.2024. https://brusselssignal.eu/2024/11/french-mp-urges-ec-chief-to-suspend-eu-us-data-privacy-framework-over-trump-concerns/.
[20] EDPB, First Review Report, page 4.
