Exploring the EU-US Data Privacy Framework and GDPR Compliance

In our increasingly global and cloud-based landscape, we’re seeing a rapid rise in regulations governing the storage, collection, and transfer of data. One of the biggest developments in this realm was the July 2023 adequacy decision for the EU-US Data Privacy Framework (DPF).

Designed to facilitate cross-border data transfers, the DPF has changed the way American and European companies transfer data across the Atlantic. It’s already gained lots of attention from data privacy experts — but is it over-hyped?

Today, we’ll explain everything companies need to know about the EU-US Data Privacy Framework, including how it addresses issues raised by the Schrems II data privacy case, the likelihood of a Schrems III challenge, and two key approaches to GDPR compliance for cross-border data transfers.

What is the EU-US Data Privacy Framework?

The EU-US Data Privacy Framework is an agreement established between the European Union and the United States to facilitate unimpeded transatlantic data flows between the two entities. Originating from an executive order issued by US President Biden in October 2022, the agreement is geared towards preserving data privacy for EU individuals and ensuring the secure transfer of personal data.

The EU's General Data Protection Regulation (GDPR), the legislation underpinning the DPF, does not explicitly define data transfer. However, most experts interpret it as a form of data processing that, in the context of the GDPR, involves the transmission and remote access of EU data to a non-EU/EEA (European Economic Area) country.

The rights to data privacy and protection are written into the EU’s constitution, which means that the EU Commission governs data transfers very strictly. They are only permitted if the destination country or organization guarantees an adequate level of personal data protection or if an approved transfer tool assures an “essential equivalent” level of protection. They are also forbidden if any EU constitutional rights regarding data privacy are jeopardized by the laws or practices of the destination countries.

Timeline and background of the EU-US Data Privacy Framework

Because of the importance of data privacy to human rights, data transfers among different nations are increasingly regulated and complex. A significant number of states, countries, and international groups have implemented data privacy laws to protect their residents.

However, the importance of free data flows to commerce and communications can’t be understated. Data transfers between the United States and the European Union currently underpin more than $1 trillion in trade in their overall $7 trillion economic relationship every year.

To balance these two opposing forces, individual data privacy and commercial data transfer needs, the EU-US Data Privacy Framework was introduced. But to understand the framework, we need to look even further back in time.

Schrems I and Schrems II

Schrems I. The initial Schrems case dates to 2013, when the Austrian privacy activist Max Schrems lodged a complaint against Facebook. Schrems asserted that the social media giant had breached the GDPR with its data transfer practices from Europe to the United States. Central to the dispute was the "Safe Harbor" framework, which had allowed US companies to self-certify that they adhered to the EU’s data protection standards. Following a two-year legal battle, the European Court of Justice (CJEU) sided with Schrems, echoing his concerns about surveillance activities by the US government and nullifying the Safe Harbor arrangement.

Schrems II. The second Schrems case, which concluded in July 2020, again centered around Facebook’s methods of transferring data and again was decided in Schrems’ favor. In this complaint, the central issue was the 2016 EU-US Privacy Shield framework, the agreement that had replaced the Safe Harbor framework. The Court of Justice of the European Union found that this framework was insufficient as well, pointing to similar concerns about US surveillance practices and the lack of sufficient safeguards to protect EU personal data.

Additionally, the court specified in Schrems II that the use of standard contractual clauses (SCCs), previously a widely accepted mechanism for the transfer of personal data, could no longer be applied universally. Instead, it mandated a case-by-case evaluation of the data protection laws in the recipient country.

The Schrems II decision once again left companies in the European Union and the United States without a clear, approved path for data transfers. The case led directly to the creation of the EU-US Data Privacy Framework, bringing us to October 2022.

The October 2022 executive order

Signed on Oct. 7, 2022, the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities established the EU-US DPF. The executive order (EO) was designed to address many of the concerns of Schrems II by:

Mandating data handling requirements and safeguards to protect data from “signals intelligence agencies.”
Defining a list of 12 legitimate objectives and 5 prohibited objectives to govern the collection of data by US intelligence agencies.
Implementing storage limitation and data minimization principles.
Limiting the bulk collection of data to a last-resort option.
Outlining a two-tier redress mechanism to improve independent oversight.

The July 2023 adequacy decision

After an eight-month adoption process, the European Commission officially adopted an adequacy decision for the EU-US Data Privacy Framework this summer. This means that the additional safeguards included in the October EO and the Data Privacy Framework have — at least for now — been determined to provide an adequate level of protection for EU personal data transferred to the US under the GDPR.

Expert analysis of the EU-US Data Privacy Framework

Concerns about the October 2022 EO

Some experts suggest that President Biden’s executive order doesn’t truly address the Schrems II concerns about the collection of EU personal data by US intelligence agencies, since it does not amend existing US surveillance laws. These experts note that EU data subjects are not notified or given access to data collected about them when they are subjected to US intelligence activities, making it virtually impossible to exercise their rights.

On a more logistical level, executive orders are not codified into law by Congress, so they can be changed or overturned by future US presidents. What is codified into law is the US CLOUD Act, which continues to allow federal officials to compel US-based technology companies to give up requested data.

Still others caution that the Data Protection Review Court (DPRC), the body designed to handle complaints about data handling violations, operates under the US Attorney General’s authority. This suggests a concerning lack of independent oversight — after all, your data protection enforcement is only as good as your data protection authorities.

Concerns about an upcoming Schrems III challenge

As we note in our blog post on the topic, many experts expect to see a Schrems III case reach the courts in a matter of months. Max Schrems has already announced his intention to file a new suit about the Data Privacy Framework, and data privacy professionals suggest that businesses should prepare for the European Commission’s adequacy decision to be repealed in the next few years. This leaves businesses on both sides of the Atlantic in an uncertain position.

Two approaches to compliance under the EU-US Data Privacy Framework

Approach 1: Self-certification with the Data Privacy Framework site

Now that the adequacy decision has been adopted, eligible US companies can take the voluntary step of self-certifying their compliance on the new Data Privacy Framework website through the US Department of Commerce. Once they do so, their commitment to the DPF will be enforceable by the relevant US enforcement authority, i.e. by the Federal Trade Commission (FTC), the International Trade Administration (ITA) or other government bodies.

From that point, organizations must adhere to the DPF principles, including the Supplemental Principles, which “collectively consist of a detailed set of requirements based on privacy principles.” Organizations must also:

Develop a DPF-compliant privacy policy statement.
Ensure that their privacy policy conforms to DPF principles and is publicly available.
Make specific reference in their privacy policy to their compliance with the DPF principles and identify their independent recourse mechanism.
Establish procedures for verifying that their assertions about their DPF privacy practices are true and accurate.
Designate a contact person, such as a CISO or a Chief Privacy Officer, for handling DPF compliance issues and complaints.
Make the required monetary contribution for the Annex I Binding Arbitration Mechanism, a fund for covering costs when EU, UK, or Swiss individuals invoke binding arbitration to determine whether a participating organization has violated its obligations under the DPF.

Approach 2: Implement advanced data privacy solutions outside of the DPF

Self-certifying with the Data Privacy Framework program is just one way to ensure compliance with the GDPR, and it may be a short-lived solution. If Schrems III or another legal case successfully challenges the framework, companies will be back to square one. That’s why some organizations are choosing not to use the DPF at all.

Instead, companies are implementing meaningful technical and organizational safeguards to protect the privacy of personal data and keep them GDPR compliant outside of the DPF. Businesses who choose this path can follow the EDPB’s recommendations for cross-border data transfers, which include five use cases and are particularly relevant for businesses who rely on standard contractual clauses (SCCs) or binding corporate rules to transfer data.

This second approach to GDPR compliance is more open-ended, and it can certainly be difficult to implement the right technical and organization safeguards. But it’s also more future-proof than self-certifying with the DPF, since meaningful data protection policies and technologies are likely to remain compliant with the GDPR even in the wake of Schrems III. By protecting data as comprehensively as possible now, businesses will find themselves better prepared for future regulatory challenges as EU law, American privacy practices, and the DPF continue to evolve.

ShardSecure for advanced data privacy and security

The ShardSecure platform provides advanced file-level protection, separating data access from infrastructure owners like cloud admins. This approach makes sensitive data unintelligible to unauthorized users, ensuring data privacy for cross-border data transfers.

Support for GDPR compliance. ShardSecure meets the European Data Protection Board’s requirements as a supplemental technology to enable cross-border data transfers under the GDPR. The ShardSecure platform is a split processing technology that can be easily deployed in a multi-party processing environment, meaning that it allows organizations to store and process data safely under the EDPB’s Use Case 5.

Support for data residency and sovereignty. The ShardSecure platform addresses data sovereignty and residency concerns by allowing businesses to use the cloud and on-prem storage providers of their choice, in the geographic locations and jurisdictions of their choice. Specifically, the platform allows data to reside within predefined jurisdictions, ensuring compliance with jurisdictional requirements. Dynamic data routing happens automatically based on metadata, tagging, and policy. This flexibility gives organizations the control they need to mitigate data transfer risks and stay compliant with rapidly changing cross-border data regulations.

To learn more about the ShardSecure platform, visit our resources page.