Recent developments have raised significant concerns about the future of the EU-US Data Privacy Framework (DPF). In this article, we give a short overview of these developments and their potential impact on transatlantic data transfers.

Under the General Data Protection Regulation (GDPR), transferring personal data from the EU to countries outside the EU, known as third countries, is subject to strict rules. If a third country is deemed by the European Commission to have an adequate level of data protection, data can be transferred freely, similar to transfers within the EU.

However, if a third country does not have this adequacy status, the GDPR requires additional safeguards such as standard contractual clauses, binding corporate rules or explicit consent from the individual whose data is being transferred.

Personal data

The EU-U.S. Data Privacy Framework is a mechanism designed to facilitate the transfer of personal data between the EU and the US while ensuring compliance with EU data protection standards. This framework replaces the previous Privacy Shield and aims to address concerns raised by the Court of Justice of the EU (see Schrems strikes again). It provides a set of principles and commitments that US organizations must adhere to, ensuring that personal data transferred from the EU to these organizations is adequately protected.

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. This decision means that personal data can flow freely from the EU to US companies participating in the framework, as they are considered to provide an adequate level of protection. The decision followed the adoption of safeguards by the US government, including an Executive Order enhancing protections for data accessed by US intelligence agencies.

These measures ensure that data access is necessary and proportionate and establish an independent redress mechanism for EU citizens. The Privacy and Civil Liberties Oversight Board plays a crucial role in overseeing these safeguards.

Doubts over DPF

Two recent actions by US President Trump are potentially bringing the future of the DPF into significant doubt:

• The New York Times reported that President Trump has requested the resignation of the Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB). The European Commission’s adequacy decision for the DPF relied heavily on the oversight provided by the PCLOB, among other mechanisms. If the Democratic members resign, and if President Trump does not appoint new members instead, the PCLOB would become non-functional. This, in turn, would undermine the legal validity of the DPF, particularly in the eyes of EU courts.
• In one of the first Executive Orders that he signed on Inauguration Day, President Trump decided that his predecessor’s national security decisions – including the decisions creating and supporting the DPF – should be reviewed and potentially annulled within 45 days.

Consequences for EU-US data transfers

The DPF would not immediately become invalid if the PCLOB becomes non-functional or if the Trump administration annuls DPR-relevant national security decisions. However, the DPF could become invalid if the EU Commission withdraws its adequacy decision or if the Court of Justice of the EU overturns the Commission’s adequacy decision following a legal challenge.  This wouldn’t be unprecedented, as the Court of Justice has previously struck down the DPF’s predecessors (Safe Harbor and EU-US Privacy Shield).

If the DPF is invalidated, US businesses that rely on it to receive and process personal data from EU organizations would no longer be able to do so. This would jeopardize EU-US transatlantic data transfers based on the DPF, thereby disrupting business operations and data flows.

Our recommendations

For organizations relying on the DPF for EU-US data flows, we recommend the following actions to mitigate potential disruptions:

Check your data flows

Map out your company’s data transfers, both intra-group and with third-party business partners, and assess which transfers rely on the DPF.

Consider EU-only solutions

Evaluate the feasibility of migrating to solutions where personal data remains within the EU. This can help mitigate risks associated with transatlantic data transfers and ensure compliance with GDPR requirements. For example, assess whether your service providers offer EU-based data storage and processing options.

Implement standard contractual clauses

Instead of relying on the DPF, consider deploying the EU Commission’s pre-approved standard contractual clauses (SCCs). SCCs provide a legal framework for data transfers to third countries (including the US), ensuring that the transferred data is adequately protected. See more information about SCCs.

When deploying SCCs, you will need to conduct a transfer impact assessment (TIA). If the TIA reveals that the SCCs in themselves are unlikely to effectively ensure an adequate level of protection, then you should implement supplementary measures (for example anonymizing or pseudonymizing the data before it is transferred; minimizing the volume of personal data that is being transferred; limiting the period during which the transferred data may be retained in the third country; and encrypting the data before being transferred (and keeping the key separately in Europe)).

For more information about such supplementary measures, see the recommendations issued by the European Data Protection Board.