Data Privacy Framework: Another Entry to the List of EU-US Unsuccessful Attempts at Cross-Border Data Transfer Frameworks?

-Rajasee Deshpande and Moksha Jain*

[This post is part of the Data Protection Special Blog series: "Beyond Encryption: Tech & Data Protection". This series will feature blogs, such as the present one, which explore and analyse the reshaping of data security and privacy in an era of evolving technology, legal frameworks and regulations.]

ABSTRACT

Following the landmark Schrems II decision, transatlantic data protection has been fundamentally reshaped. The new Data Privacy Framework (“DPF”) is the latest effort to harmonize privacy standards between the EU and the US. The DPF seeks to tackle key issues identified in Schrems II by ensuring effective avenues for redress, establishing stringent regulatory oversight, and guaranteeing that data transferred outside the EU receives the same level of protection as within its borders. This piece critically examines the structure of DPF and questions whether its mechanisms truly meet the high standards set by the Court of Justice of the European Union (“CJEU”). It traces the legal developments leading to the  DPF’s enactment, scrutinizes its consonance with the ruling in Schrems II, and offer recommendations to strengthen its adherence to the CJEU- established standards.

“They say the definition of insanity is doing the same thing over and over again and expecting a different result.”

- Rita Mae Brown in her book “Sudden Death”

INTRODUCTION

The European Union (“EU”) and the United States of America (“US”) are devoted practitioners of this phrase considering they have consistently brought in three legislations with the same substance but with a different name.

To lay the groundwork, the EU and the US stand as each other’s foremost trading partners, with a bilateral relationship that generates approximately 9.4 million jobs and accounts for 1.6 trillion euros in goods and services annually. Acknowledging the importance of transatlantic data transfer, the EU and US have jointly worked to establish data privacy laws governing cross-border data flows but were unfortunately invalidated by the CJEU’s Schrems series making such data transfers between 2000 to 2023 to be illegal. Therefore, the new transatlantic DPF was introduced in the year 2023 for governing the US- EU data transfers while abiding by the General Data Protection Regulation’s (“GDPR”) requirements. But it has been alleged that the new framework is an exact copy of its predecessor with minor changes.

In this piece, we assess the DPF, analysing it in the light of the legal principles set forth in Schrems II. This blog consists of three segments. The first segment of the blog will outline the concise chronology that led to the enactment of DPF and also provide an explanation of its provisions. The second segment will examine the correlation between the DPF and the ratio decidendi of the Schrems II verdict. The third and concluding segment will propose recommendations aimed at ensuring alignment of DPF with the Schrems II principles. Our blog seeks to answer the following legal question: Can the DPF stand its ground before the CJEU in a possible Schrems III case?

I. CHANGING THE NAME, NOT THE GAME: THE ENDLESS CYCLE OF PRIVACY SHIELDS

The fast-paced growth of the digital world necessitates a robust legal framework to regulate the global flow of personal data. This presents a significant challenge when nations, like the EU and the US, adhere to vastly divergent data privacy legislations. The EU prioritizes rigid protection of data through the GDPR, whereas the US adopts a more sectoral approach. To bridge this divide, the EU and the US have engaged in a series of endeavors to establish a data privacy framework, with the initial attempt being the Safe Harbor Framework (“SHF”) in 2000, which was designed to streamline data transfers between EU member states and US companies by allowing self-certification.

However, the SHF faced significant criticism due to its reliance on self-certification, as it created a discrepancy between declared adherence and actual practices. In 2011, Maximillian Schrems filed a complaint against Facebook, contending that the said SHF failed to adequately protect EU citizens’ personal data from surveillance by US government authorities. The CJEU agreed in 2015, and ruled that, within the US requirements pertaining to public interest, national security and law enforcement superseded the provisions set forth in the SHF and thus invalidated the same.

In the aftermath of the nullification of the SHF the EU and the US negotiated the Privacy Shield Framework (“PSF”) in 2016, incorporating stricter regulations for data protection, including enhanced data subject rights, commitments from the US government to limit access by intelligence agencies to EU citizen data and ombudsperson mechanism.

Despite these improvements, the PSF still faced criticism regarding the enforceability of the US government assurances and the risk for unfettered access to data by the US intelligence under exceptions of national security. In 2020, the CJEU’s Schrems II case invalidated the PSF, citing concerns over US government access to personal data and potential bulk surveillance.

Following this invalidation, the EU and the US collaborated on a new data sharing agreement, i.e., DPF, addressing the Court’s concerns. In the year 2023, the European Commission (“EC”) implemented an Adequacy Decision for the newly established DPF. This decision signifies that the US Framework, with its enhanced safeguards, offers an optimum data protection deemed essentially equivalent to the GDPR.

A. SCHREMS II

On July 16, 2020, the Court rendered its verdict in the landmark ruling of Schrems II, where the Standard Contractual Clauses (“SCC”) were upheld as valid mechanism, but the PSF was invalidated on the following grounds. First, the court noted that, like its predecessor, the PSF prioritizes public interest, national security, and law enforcement, allowing US companies to disregard privacy principles when in conflict. The court concluded that this permits US authorities to violate EU residents’ fundamental rights. Second, the court criticized the US surveillance laws, especially Section 702 of the Foreign Intelligence Surveillance Act (“FISA”)  and Executive Order 12333 (“EO 12333”), for lacking sufficient redress mechanism for EU data subjects. Furthermore, these regulations do not provide effective remedies for data subjects and do not specify any restrictions on the authority granted to the US public authorities beyond what is absolutely necessary, which makes them incompatible with the principle of proportionality. Third, the CJEU highlighted the inadequacy of Ombudsperson mechanism, noting its lack of independence and its inability to afford for a cause of action before a body which has the power to adopt decisions that are binding on the intelligence services.

B. DATA PRIVACY FRAMEWORK

In 2023, the EC adopted a new Adequacy Decision for the DPF, to facilitate the transatlantic data flows by allowing certified US companies to receive personal data of EU citizens without any need of ‘additional data protection safeguards.’ Certification under this Framework is voluntary, but once a company certifies with the International Trade Administration (“ITA”), compliance becomes mandatory and enforceable under US law.  The DPF is built on core principles such as purpose limitation, data accuracy, minimization, security, transparency, individual rights, restrictions on onward data transfers, and accountability. A major change introduced by the DPF is the “necessary and proportionate” policy, which permits US intelligence agencies to access data only when it is necessary and proportionate to the necessity.

The Executive Order 14086 (“EO 14086”) , introduced by the US to implement the DPF, outlines key provisions for handling personal information collected through signal intelligence activities. Section 2 specifies requirements for the handling of such data by the government, while Section 3 establishes a redress mechanism for addressing concerns related to signal intelligence activities. The DPF further provides multiple avenues for redress, including independent dispute resolution and arbitration panels, both free of charge.

II. ALIGNING SCHREMS II WITH DPF

Upon analyzing the DPF in the context of Schrems II judgement, we have identified three potential grounds for challenging the DPF:

A.     Insufficiency of Principle of Necessity and Proportionality

The DPF is unlikely to withstand the CJEU’s scrutiny, as the EO 14086’s explicit inclusion of “principle of necessity and proportionality”, while a positive development, may still fall short of fully aligning with GDPR standards on the following grounds.

First, the difference in interpretation of “necessary” and “proportionate” between the US and the EU jurisprudence may lead to compliance discrepancies.  The EU and the US diverge significantly in their approaches to necessity and proportionality in privacy and surveillance. Under EU law, as established in Schrems II, privacy interference must pass a strict necessity test, requiring them to be indispensable to a legitimate objective with no less intrusive means available. This is reinforced by Article 52(1) of the Charter, mandating clear, precise legal bases and actionable rights for individuals to challenge surveillance, as seen in Kennedy v. The United Kingdom . In contrast, EO 14086 in the US adopts a broader interpretation, allowing surveillance that is reasonably necessary for a validated intelligence priority without allowing it to be the only option. The legal basis for surveillance (e.g. FISA Section 702) also lacks clear limits and safeguards, as criticized in Schrems II, and fails to provide to provide actionable rights for data subjects, raising compatibility concerns with Articles 7 and 8 of the Charter and Article 8 of the ECHR. This divergence highlights a fundamental difference: while the EU insists on rigorous safeguards to protect individual rights, the US framework – exemplified by FISA and EO 12333– prioritizes national security imperatives even if it means curtailing those rights. Thus, the US is likely to ascribe a meaning to “proportionate” that differs significantly from the understanding adopted by the CJEU, creating a potential conflict in its application. 

Second, the six objectives under the Section 2(c)(ii)(B) of the EO 14086 for “collection of signal intelligence through bulk collection” are not exhaustive, as the US President can unilaterally add new objectives without public disclosure, citing national security concerns. Furthermore, Section 2(e) clarifies that the EO 14086 does not restrict signal intelligence collection techniques authorized under other laws or presidential directives, creating regulatory ambiguities. This unchecked discretion weakens the necessity and proportionality principles, as it allows broad surveillance without clear limitations, falling short of EU legal standards.

B.    Two-tier Redressal: The Mechanism That Missed the Mark

The second ground for challenging the DPF pertains to its inadequate redressal mechanism. The new redressal mechanism improves on the former ombudsperson system with a two- layered approach: first the Civil Liberties Protection Officer (“CLPO”) investigates complaints, which is followed by a review from the Data Protection Review Court (“DPRC”), which can issue binding decisions. EO 14086 enhances DPRC safeguards, requiring judges to be independent of the US government and limiting the Attorney General’s influence over panel reviews and judge appointments.

Again, despite the EO 14086’s additional safeguards, significant concerns persist. First, the DPRC, being part of the executive branch rather than the judiciary, raises independence issues, similar to those highlighted in Schrems II. While the EO 14086 limits Attorney General from interfering with the DPRC’s panel review or removing the judges from the Panel, the US President retains the authority to exercise such powers, potentially undermining its independence.

Second, following the completion of the review, the DPRC is mandated to inform the complainant solely of the outcome, indicating either the lack of identification of any covered violations or the issuance of a decision calling for suitable remediation. Consequently, without access to the decision of the DPRC, the complainant is deprived of the opportunity to exercise his right to “an effective remedy and to a fair trial” guaranteed under Article 47 of the Charter of Fundamental Rights of the European Union. Furthermore, adding to the issue is the fact that the decisions made by DPRC are deemed final with no avenue for complainant to appeal these rulings in the US Federal court.

Third, Section 3 of the EO 14086 states that the CLPO, must initially, in any case reply by stating that “Without confirming or denying that the complainant was subject to United States signals intelligence activities, the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation”. As a result, the court’s decision is predictable even before a case is filed.

C.    Conundrum of Onward Transfer of Data

The third ground concerns the ambiguity surrounding onward transfers of data. The term “the onward transfer of data” refers to further transfer of data from a US organization to a third party outside the US border. DPF states that such transfers will only occur under limited and special conditions where a definitive contract exists between the US company and the third party. However, the exact nature of the special and limited condition remains undefined and unclear. Now, here lies a flaw. The DPF assigns the responsibility on the recipient US organization to maintain the standard of the data transfer according to the GDPR Guidelines, which created a potential loophole as the GDPR itself mentions in its Chapter V that there is no requirement for additional measures and onward data transfer is valid in case of an adequacy decision such as of DPF. Thus, US companies could take advantage of the loophole, as both the companies and third parties can follow their own regional data protection laws, even if they are not at par with the GDPR.

Therefore, considering these grounds, it is quite likely for the CJEU to invalidate DPF in a possible Schrems III case on the ground that the US fails to ensure an adequate level of protection. Mr Schrems, through his organization “noyb”, has already announced plans to challenge the DPF in the near future.

III. SUGGESTIONS

1.  Improvement in Redressal System

As observed before, the current redressal mechanism proposed by the DPF has two major drawbacks. First, there is a lack of transparency related to the decision given by the DPRC, the complainant is only informed about the decision, which make the process secretive. Therefore, it is suggested that the complainant should have access to all the documents during the proceedings and should have the power to access information at any stage of the proceedings under DPRC. Second, there is no scope of appeal for the decision given by the DPRC, the decision is final and binding in nature, which raises the question of whether this aligns with the “principle of fairness and natural justice”. Thus, it is suggested that in order to strengthen the redressal system, the complainant must have a provision to appeal to a higher court if not satisfied with the decision of the DPRC, i.e., possible avenues for appeal could be the US federal court or the CJEU.

2. New Proposed Federal Data Privacy Law Falls Short of its Requirements

The introduction of the American Privacy Rights Act (“APRA”) in the US Congress fails to sufficiently address several key concerns, including the regulation of cross-border data transfers. APRA’s current framework lacks the necessary provisions to facilitate seamless international data flows, which are vital for maintaining compliance with GDPR’s adequacy standards.

Cross-border data transfers are regulated by Chapter V of the GDPR, which includes Adequacy Decisions, appropriate Safeguards like SCCs and Binding Corporate Rules (BCR) and limited derogations for specific situations. In contrast, the APRA lacks any provision on cross-border data transfers, creating a significant gap between EU and US data privacy laws. While the US has several state-level privacy laws, there remains a need for a cohesive federal framework to harmonize these laws. Such a framework would provide uniformity and clarity to companies involved in data transfers between the US and the EU, ensuring seamless transfers. This would eliminate the need for companies to adjust their data transfer methods following every CJEU ruling that strikes down agreements due to absence of US privacy laws that are at par with the GDPR.

The EU Parliament has further highlighted that the US is the only country with an EU adequacy decision that lacks a federal privacy law. Therefore, we suggest that the proposed APRA be expanded to include comprehensive rules for cross-border data transfers, as the DPF, despite its intent to address this gap, contains several flaws and loopholes.

CONCLUSION

This blog concludes that the DPF, in its current form appears more like a diplomatic patchwork than a resilient legal framework. By sidestepping core concerns, such as lack of robust redressal mechanism, flaws in onward data transfers, and inadequacy of principles of necessity and proportionality, the EC has once again gambled on a data transfer mechanism that may not survive judicial scrutiny. The framework fails to ensure that EU citizens have actionable rights before an independent judicial body leaving them with no recourse against potential privacy violations. Moreover, the dominance of FISA and EO 12333 undermines any real attempt at aligning the DPF with Schrems II standards, as surveillance activities remains permissible without strict application of the principle of necessity and proportionality. Given the CJEU’s firm stance in Schrems II, another legal challenge is not a question of if, but when.

 We believe that in order to create a more efficient framework, two critical reforms are imperative: strengthening the redress mechanism to ensure independence and transparency, and equipping APRA with regulatory authority over cross-border data flows. Additionally, without aligning US surveillance laws with principles outlined in EO 14086 to limit unchecked surveillance, EU citizens’ rights will remain vulnerable. Without these changes, the DPF may soon be another legal relic, undone by the concerns it sought resolve.

*The Authors are third-year students at the Maharashtra National Law University, Nagpur.