With specialist reporters close to trusted sources in the world's key regulatory centers, MLex® breaks news on developmental regulation and provides in-depth, predictive analysis on how business will be impacted by regulatory change in the longer term.

Scroll down for a taste of our expert reporting, or start your MLex® trial today for access to our invaluable insights in real time.

12 July 2023
By Mike Swift and Matthew Newman

Just before dawn Monday morning in Washington, DC, a US Department of Commerce website will flip on, allowing companies that want to transfer personal data between the EU and the US to register for a new transatlantic data bridge.

Imagine a red neon “Open” sign flickering to life in a new storefront. The EU-US Data Privacy Framework will be ready for business.

The Commerce Department will stand by to aid companies, most of which are expected to be small or mid-sized firms, with the required rewrite of their privacy policies and practices under the old EU-US Privacy Shield to fit the rules of the new DPF. Confident about the durability of the new data transfer framework, US officials plan to actively promote the new data transfer system to the US business community.

Ultimately, the Commerce Department hopes the new DPF will register significantly more companies than the roughly 5,000 that were using Privacy Shield when it was nullified by the European Court of Justice in July 2020.

“I think we’ll be starting from a larger base than we did when we launched Privacy Shield,” as the several thousand companies that remained compliant with the old system transition to the new DPF, said a senior US Commerce official who spoke at length to MLex on background about the agreement. “I definitely hope more companies will sign up for the Data Privacy Framework and recognize that this does provide significant value.”

The US Federal Trade Commission will begin enforcement of any companies that fail to honor privacy promises under the DPF, continuing the role it had under Privacy Shield. By the end of the summer, a group of newly appointed judges are expected to be in place in the new Data Protection Review Court stood up by the US Department of Justice, poised to be the final judicial backstop in a two-step redress process for privacy complaints filed by Europeans over abuses by US intelligence agencies.

The establishment of this court, which will handle complaints about how EU citizens' data is handled by security authorities, was a key requirement for EU negotiators, which were following criteria for upholding EU data protection rules set out in the EU court's judgment.

The DPF appears sure to face a legal challenge, however, and that challenge from data protection activist Max Schrems, who was behind the last challenge of the EU-US Privacy Shield, could be filed in a national court in the EU within the next few months.

Healed rift?

In the decade since National Security Agency consultant Edward Snowden ripped the mask off the vast US signals intelligence apparatus aimed at Europe and other parts of the world, a period in which the EU passed the General Data Protection Regulation, there appeared to be a widening chasm between privacy protections in the US and Europe. Now, however, the hope in Washington is that the meticulous and collaborative process of negotiating the DPF over the past two years has helped to heal that rupture.

US officials believe, the senior official said, the new DPF isn’t just a legal framework that is durable enough to withstand a legal challenge. They believe it represents a new level of understanding by both the EU and the US about privacy jurisprudence in both democracies. By altering the signals intelligence procedures of the NSA, the CIA and a host of other US spy agencies, US officials say the new DPF also makes more secure the legal basis for other forms of data transfers commonly used by big technology and pharmaceutical companies — Standard Contractual Clauses and Binding Corporate Rules.

While these transfer methods were upheld by the EU court, companies had to use them with caution: they had to add specific ways to mitigate risks for personal data transferred out of the 27-nation EU.

“When we did Privacy Shield, we didn’t have as good of a road map about what was necessary” to comply with European privacy law, the senior official said. “The Schrems II decision really gave us a pretty clear understanding of what that court thought the deficiencies were with the previous Privacy Shield [system]. So really, we and our partners in the European Commission were able to craft the DPF and the executive order [by President Joe Biden] for the redress mechanism to directly address the concerns that were raised by the court in the Schrems II decision. That’s why I think we have a little more confidence about the ability of this to withstand a legal challenge.”

When Privacy Shield was negotiated, US officials were working off Presidential Policy Directive 28, the post-Snowden signals intelligence reforms ordered by President Barack Obama in 2014.

Schrems III

The namesake of the Schrems I case that erased the Safe Harbor data transfer system in 2015 and the Schrems II decision nullifying Privacy Shield in 2020 says a “Schrems III” decision on the new DPF could emerge from the European Court of Justice by 2024 or 2025.

Schrems’ privacy activist group Noyb said this week that once the first companies implement DPF within the next months, it will open the path for a legal challenge by a person whose data is transferred under the new framework.

Noyb hasn’t made a final decision on how it will appeal, but it’s likely to file a case at an Austrian court, MLex understands. The group said this week that the case could reach the European Court of Justice as soon as the end of this year, though the full process before a final decision from the top is expected to take two years.

Meanwhile, the existing Privacy Shield website is due to be shut down Friday, with the new DPF website replacing it two days later on Monday — in a nice piece of symmetry, three years and one day after the European Court of Justice decision nullifying Privacy Shield on July 16, 2020.

FTC enforcement will begin “immediately,” the senior Commerce official said. The FTC continued enforcing companies’ Privacy Shield commitments throughout the DPF negotiation process even though Privacy Shield was invalidated.

While this week’s adequacy declaration by the European Commission was specifically for the DPF as a transfer mechanism, it is also relevant to other transfer mechanisms because the changes US intelligence agencies made apply to all data transfers, not just the new Framework. “The commitments we made cover all data transfers; that also includes Standard Contractual Clauses and Binding Corporate Rules,” the official said.

Late last year, digital ministers from 38 countries agreed for the first time on a declaration of “common principles” on governments’ access to personal data held by the private sector for national-security and law-enforcement purposes, in a process brokered by the OECD. There was significant cross-pollination between the OECD process and the negotiations over the DPF, the senior official said, reflecting “a convergence” and a “shared understanding” in how democracies view government access to personal data.

“We've come to sort of a greater mutual understanding with the EU on these issues, and to some extent I think that's also illustrated by the OECD trusted government access work stream,” the senior official said. “I think a lot of the understanding of each other that sort of came up through the Privacy Shield and DPF negotiations has sort of fed into that, where we understand each other’s systems better, and we're recognizing that there are a lot of commonalities.”

Activate your MLex® trial today to unlock more in-depth analysis from our specialist reporters across the US and beyond.