All about the new Data Transfer Framework

Image of Carlo Cilento

Published on Aug 2, 2023 and edited on Aug 15, 2023 by Carlo Cilento

On July 10, the European Commission adopted its long-anticipated adequacy decision for the United States. This is the final step in implementing the Trans Atlantic Data Privacy Framework (DPF), a bilateral framework between the EU and the US that allows for easier data flows between the US and EU/EEA Countries.

Not everyone is happy about the decision. The European Parliament expressed a negative opinion on the new framework and privacy NGO noyb- which is quite involved in the story- already announced that it would challenge the adequacy decision in the EU Court of Justice. This is nothing new. Two data transfer frameworks have already been invalidated before in the Schrems I and II judgments. In all likelihood, Schrems III will be the framework’s baptism by fire. And it is really hard to say how it will play out.

But what is the DPF exactly? How does it impact data transfers, and what legal issues does it raise? Let’s find out!

  1. What is the Trans Atlantic Data Protection Framework?
  2. Will the Trans-Atlantic Data Privacy Framework solve the issue with EU-US data transfers?
  3. How does the Trans Atlantic Data Protection Framework work?
    1. Data transfers in a nutshell
    2. How do you transfer data to the US under the Trans-Atlantic Data Protection Framework?
  4. What is the story behind the DPF?
    1. Schrems I and II
    2. Data transfers after Schrems II
    3. Why did the new framework take so long?
  5. Final Thoughts
Logo of the Government of the United KingdomThe UK Government chose Simple AnalyticsJoin them

What is the Trans Atlantic Data Protection Framework?

The DP is a data transfer framework set up by the US government and the European Commission to facilitate data transfers between the US and the EU/European Economic Area. But it is not an international agreement in a strict sense because it is based on internal legal acts within the US and EU legal frameworks. These internal acts result from extensive negotiations between the US and the EU.

On the European side we have the adequacy decision we mentioned above. An adequacy decision is a unilateral act of the European Commission that acknowledges that a third country (in this case, the US) has a solid enough data protection framework and, therefore, “greenlights” data transfers to that country.

On the American side, we have Executive Order 14086, signed in October 2022 by President Joe Biden. An executive order is an order issued by the President to public administrations (in this case, intelligence agencies). Executive Order 14086 includes rules that (somewhat) limit the powers of agencies when dealing with certain strategic allies, including the EU. It also sets up a redress system to increase the degree of scrutiny over Internet surveillance of people in the EU and EEA.

islands.png

Will the Trans-Atlantic Data Privacy Framework solve the issue with EU-US data transfers?

It will if the Court of Justice does not shoot it down- and that’s a big if.

Two older frameworks (the Safe Harbor and the Privacy Shield) have been invalidated by the Court before because they did not provide sufficient protection for European data, and NGO noyb already announced a legal battle in the Court of Justice against the DPF in the Court of Justice.

This does not necessarily mean that the DPF will be invalidated as well, but it is a real possibility. It’s hard to say how it will go: the DPF is, in some ways, a step up from the past but is still problematic under certain aspects.

How does the Trans Atlantic Data Protection Framework work?

Data transfers in a nutshell

To understand how the framework impacts data transfers, we first need to take a step back and look at how data transfers work under the GDPR.

The GDPR only allows for safe and confidential transfers of personal data outside the EU (more exactly, outside the EEA because the GDPR also applies in Iceland, Norway, and Liechtenstein).

This makes sense: without this fundamental principle, all the privacy protections of the GDPR would be compromised the moment personal data leave the EU (which happens all the time). So, the GDPR does not forbid the transfers of personal data outside the EU but rather requires them to be safe.

To implement this principle, the GDPR requires certain safeguards for data transfers. In practice, this means that the GDPR lists a small number of legal mechanisms that act as safeguards for personal data and requires organizations to pick one and implement it properly before they transfer personal data. A data transfer without safeguards is illegal (with very narrow exceptions).

The adequacy decisions we mentioned are one of these safeguards. They are every organization’s favorite safeguard because they require little or no paperwork. Still, they are only available for a few countries (you can find them listed on the European Commission’s website).

When an adequacy decision is unavailable, most organizations resort to the standard contractual clauses (SCCs) drafted by the European Commission. SCCs are clauses that tell the parties what they can and cannot do with personal data. This way, the binding force of a contract makes up for lacking privacy rules in the recipient’s Country.

SCCs are a clever tool but have a major flaw: they do little or nothing to protect the data against State surveillance. This is due to their contractual nature: they bind the organizations that sign them but do not bind Countries.

Unfortunately, State surveillance is precisely the legal issue standing in the way of EU-US data transfers. The extensive and disproportionate nature of US intelligence operations is why the Court of Justice already invalidated two data transfer frameworks in the Schrems I and II decisions.

Schrems II decisions also impacted the use of SCCs. The Court clarified that organizations need to make sure SCCs actually work for the Country where the data are going. In practice, this means that companies that use SCCs to send data to the US must implement additional safeguards to keep personal data safe from the National Security Agency.

This is not the easiest task in the world and is entirely impossible when using certain US-based providers. Taken seriously, the Schrems II ruling of the Court of Justice can make reliance on many US services entirely illegal- including key players such as Azure, Oracle, and AWS. So, the DPF and its future are a big deal for the European digital economy.

biden.png

How do you transfer data to the US under the Trans-Atlantic Data Protection Framework?

The DPF will simplify data transfers in two ways. First, European organizations can rely on the adequacy decision for the US when sending data to some US-based organizations- but not all.

The DPF only allows EU companies to transfer data to organizations that adhere to the Privacy Shield principles and self-certify this adherence to the US Department of Commerce. In practical terms, this means that you cannot rely on the adequacy decision to send data to an organization that does not adhere to the Privacy Shield principles. In that case, you will need to use a different safeguard- typically SCCs.

Second, data transfers to all other organizations are facilitated because the Executive order (somewhat) limits the discretion of intelligence agencies to spy on European data. So the Executive Order allows for data transfers based on SCCs with little or no additional safeguards.

Of course, this assumes the DPF survives Schrems III, which is far from certain!

It is also worth pointing out that you cannot transfer personal data to US companies left and right just because you have an adequacy decision! The general rules of the GDPR still apply: if you don’t have a legitimate reason for disclosing personal data to another organization, then you cannot do so- even if the data stay within the EU. With all the talk about data transfers, it’s easy to forget that data transfer rules are just one piece of the compliance puzzle.

What is the story behind the DPF?

Schrems I and II

The DPF is not the first data privacy framework between the EU and the US. Two such frameworks were set up in the past and things did not go well.

In 2000, the EU and the US had a data transfer framework called the Safe Harbor. In 2013, after the Snowden revelations of extensive US surveillance over foreign data, Austrian citizen Maximilian Schrems (this name will come up a lot) filed a complaint against Facebook Ireland (now Meta). He claimed that the company’s transfers of personal data to its US-based parent company exposed the information to a substantial risk of State surveillance from US agencies and was, therefore, illegal.

This started a decade-long legal battle involving the Irish privacy authority (DPC), the Irish administrative court system, and the EU Court of Justice (CJEU). The CJEU got a say in the matter twice with the Schrems I and II decisions.

Both rulings are landmark cases in EU data protection law, and both invalidated a data transfer framework- first the Safety Harbor and then its successor, the Privacy Shield (yup, it’s named like the Privacy Shield principles, which is confusing). In other words, the DPF is a third attempt.

Schrems I and II are long and complicated decisions that touch on many subjects but have two main takeaways.

  • Adequacy decisions are not purely political decisions. Under the GDPR, the Commission can only adopt an adequacy decision for countries that ensure “an adequate level of protection” for personal data. In other words, the Commission cannot adopt an adequacy decision just because it likes a country, but must consider objective factors. If these factors are not assessed correctly, then the adequacy decision is wrong and can be invalidated by the Court of Justice. This is what happened in Schrems I and II.
  • The second important takeaway is that transferring personal data can sometimes require additional safeguards on top of those required by the GDPR. The reasoning is simple: because standard contractual clauses do not bind the recipient State, they do nothing to protect European data from surveillance- which is the core of the issue in both Schrems II rulings. Therefore, to safely transfer the data, EU organizations must find other ways to keep personal data confidential.

There’s an obvious problem here: intelligence agencies are good at collecting confidential information, no matter how well it is protected. That’s their job after all. So, as we explained above, it is very difficult- and sometimes impossible- for a European company to supplement SCCs with additional safeguards that actually work.

researcher-red-shirt.png

Data transfers after Schrems II

The Schrems II case was decided in 2020 and the ruling put many European companies in a difficult position because they were (and still are) highly dependent on US-based service providers. As a result, many companies essentially ignored the ruling and kept doing business as usual.

A privacy NGO called noyb (of which Schrems himself is a member) was not happy with the situation and started to nudge authorities towards strict enforcement of the Schrems II ruling by filing a bunch of complaints against the data transfers for Google Analytics and Facebook Connect. This led privacy authorities to take a harder stance on data transfers and practically ban Google Analytics from some Member States, including the key national markets of France and Italy.

(To be clear, privacy authorities decided the matter on a case-by-case basis, but it was rather clear that future cases would have been decided in the same way- which is why the decision practically amounted to State-wide bans and led to widespread panic among marketers).

Of course, there was much more at stake than Google Analytics itself, so the EU Commission and the US government negotiated a new data transfer framework. The implementation of this framework started in October 2022 when President Joe Biden issued Executive Order 14086 and ended on July 2023 when the Commission adopted its adequacy decision for the US.

Why did the new framework take so long?

If EU-US data flows are such a big deal for both parties, why did it take them three years to implement the new framework?

Well, setting up this framework was not easy. The DPF results from complex legal work, especially on the American side.

The Commission wanted a data transfer framework badly but also needed one that could survive a Schrems III ruling (and it remains to be seen whether that will be the case). At the same time, the US government had to figure out a system that would not only satisfy the EU Court of Justice but also conform to the constraints of US constitutional law and to the case law of the US Supreme Court. In other words, the DPF is an attempt to make two Courts happy at the same time.

If you have time to kill, this excellent article takes a deep dive into US law and explains some of the legal engineering behind the redress mechanism implemented by the Executive Order. Whether the DPF survives Schrems III or not, the ingenuity behind the systems is impressive.

Final Thoughts

Overall, the DPF is a divisive topic, and people tend to fall into camps. Some consider the DPF to be the definitive solution to the issue of data transfers and are confident that Schrems III will go well. Others, including Max Schrems and noyb, believe the DPF to be a copy of the Privacy Shield and are positive that the Court of Justice will shoot it down.

We believe the truth lies somewhere in the middle. The DPF is definitely a step up from the Privacy Shield, but then again, the Privacy Shield was terrible. Along with the improvements, there are still potential problems with the new framework.

Schrems III could play out either way. On the one hand, the overwhelmingly negative opinion of the European Parliament on the DPF is not the most promising start and may very well nudge the Court towards a hard stance. On the other hand, the current international tension due to the war in Ukraine might nudge the Court in the opposite direction and suggest some degree of pragmatism when dealing with a strategic ally of the EU.

We know that if the DPF goes down, we will be back at square one. In fact, data transfers might become an even bigger problem after Schrems III because the enforcement of Schrems II has caught some steam since 2020 (see the recent €1.2 billion fine against Meta!). Then again, the Court probably won’t shoot the DPF down without feeding the US government and the Commission some hints about what it wants to see next in framework number four.

Bottom line, we can only wait and see. In the meantime, companies should have a plan B at hand- or at least a rough sketch of a plan- in case Schrems III does not go well.

The bad news is that this is really difficult for some service providers. The good news is that it is very easy for web analytics. In fact, there is no need to wait for Schrems III- many companies can benefit from ditching Google Analytics!

Google Analytics is the standard analytics tool on the Internet, but it is not irreplaceable. Many alternatives exist, including privacy-friendly and EU-based ones. And we have just the one for you.

We at Simple Analytics believe that you don’t need to aggressively track visitors to get the insight you need! This is why we made privacy the cornerstone of Simple Analytics.

Our services does not collect any personal data, does not fingerprint visitors, and does not track them in any way- all while providing excellent insights and being very easy to use compared to the competition. If this sounds good to you, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial