[German]According to an announcement by U.S. Secretary of Commerce Gina Raimondo, the U.S. has now implemented its obligations under the EU-U.S. data transfer agreement "Transatlantic Data Privacy Framework" (DPF) and is now in compliance with the relevant conditions. I expect that the EU Commission will now issue an adequacy decision in the near future. The matter will then go back to the European Court of Justice (ECJ), where it will have to be assessed whether the data protection agreements provide equivalent conditions for EU citizens.
Statement from the U.S. Secretary of Commerce
I I came across U.S. Commerce Secretary Gina Raimondo's announcement on the EU-U.S. Data Privacy Framework (DPF) via the following tweet.
Today, the United States has fulfilled its commitments for implementing the EU-U.S. Data Privacy Framework (EU-U.S. DPF) announced by President Joe Biden and European Commission President Ursula von der Leyen in March 2022. This represents the culmination of months of significant collaboration between the United States and the EU and reflects our shared commitment to facilitating data flows between our respective jurisdictions while protecting individual rights and personal data.
On June 30, Attorney General Merrick Garland designated the EU and the three additional countries making up the European Economic Area (EEA) as 'qualifying states' for purposes of implementing the redress mechanism established under Executive Order (EO) 14086 on Enhancing Safeguards for United States Signals Intelligence Activities. The designation will become effective upon the adoption of an adequacy decision by the EU for the EU-U.S. DPF. Today, the Office of the Director of National Intelligence (ODNI) confirmed that the U.S. Intelligence Community has adopted its policies and procedures pursuant to EO 14086.
Taken together, the strengthened safeguards for signals intelligence activities established in EO 14086, designation of the EU/EEA as qualifying states by the Attorney General, the adoption of the Intelligence Community's implementing procedures, and the updated EU-U.S. Data Privacy Framework Principles will enable the EU to move forward with adoption of an adequacy decision for the EU-U.S. DPF.
Since US President Joe Biden and European Commission President Ursula von der Leyen announced the EU-U.S. Data Privacy Framework in March 2022, it has been up to the U.S. government to bring the Presidential Order to life and implement the commitments. This step has now probably been taken, as announced by the U.S. Secretary of Commerce. On the part of the EU Commission, a so-called adequacy decision must now be issued so that the EU-U.S. Data Privacy Framework (EU-U.S. DPF) can formally enter into force.
What is the gual?
For readers who are not so familiar with the subject, a few sentences on the background. For European companies to be able to transfer data abroad for processing, the destination country must guarantee the same data protection requirements as within the European Union. In countries of the European Union (EU), this is guaranteed by the GDPR. However, the EU Commission can determine in the context of an adequacy decision that a destination country also achieves this level of data protection for EU citizens.
One problem since the GDPR came into force in May 2018 is the USA. All US cloud providers and software providers whose products transfer personal data of European Union citizens to servers outside the EU would not be allowed to operate in the EU without an data transfer agreement with the US. The EU Commission had wanted to cure this with the so-called "Safe Harbor" agreement with the U.S. and create a framework for data transfer. After complaints from data protectionists, the case ended up on the High European Court of Justice (ECJ) in Luxembourg, which classified the agreement as not equivalent to the GDPR and overturned the whole thing (see Safe Harbor: EuGH erklärt Abkommen für ungültig).
Later the EU commission failed to implement a second data transfer agreement, called Privacy Shield, because the High European Court of Justice (ECJ) in Luxembourg classified the agreement as not equivalent to the GDPR and cancelled as illegal (see EuGH kippt EU-US-Datenschutzvereinbarung "Privacy Shield").
The EU-U.S. Data Privacy Framework (DPF) is now the third attempt of the EU Commission and the U.S. to cure the problem of the missing data protection agreement. In the articles linked at the end of the article I had traced the history so far, the EU Commission had already taken a preliminary adequacy decision at the turn of the year 2022/2023 (see EU-Kommission fällt vorläufige Angemessenheitsentscheidung zum Trans-Atlantic Data Privacy Framework).
Sorry for linking to the German blog posts – this is a German / European Union thing, and I haven't blogged about this in English.
Assessment of the new attempt
From the EU Commission's point of view, the new EU-U.S. Data Privacy Framework (DPF) should now create the legal framework for the transfer of personal data of EU citizens to the United States. Formally, I now expect the EU Commission to issue an adequacy decision promptly and announce it. Because the "business community" is urgently waiting for a valid data protection agreement with the USA, because formally even software like Microsoft Office or Windows cannot be used due to the unclear data outflow (see e.g. Datenschutzkonferenz 2022: Microsoft 365 weiterhin nicht datenschutzkonform). So-called "consultants" have therefore been arguing since fall 2022 that this is only a minor formal problem because the EU-U.S. Data Privacy Framework (DPF) is "coming soon and will create the legal framework."
But the attempt "stands and falls" with the question of whether the new DPF agreement will grant EU citizens in the U.S. the same legal protection with regard to personal data as in the EU. In the final analysis, we will have to wait for the expected lawsuit by data protectionists against the EU-U.S. Data Privacy Framework (DPF) before the European Court of Justice (ECJ) and the decision to be made by the judges.
But the whole thing is not hanging in a vacuum; data protection and privacy activists have already taken a closer look at the construct of the EU-U.S. Data Privacy Framework (DPF). Max Schrems of the Austrian organization noyb, who won the two lawsuits against Safe Harbor and Privacy Shield before the ECJ, assumes in his assessments that his third lawsuit before the ECJ against the DTF will also be successful.
In the blog post EU-Kommission fällt vorläufige Angemessenheitsentscheidung zum Trans-Atlantic Data Privacy Framework, I had collected first statements of data protection activists from Europe (noyb) and from the USA. I found the statement by the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, and his European colleagues from the European Data Protection Authority (EDSA) very revealing. Both bodies have serious concerns about whether the DPF provides a level of data protection for EU citizens in the U.S. that is equivalent to the GDPR, including legal protection. The interpretations in the USA are fundamentally different from the interpretation in Europe by the EU Commission.
I had already addressed this conflict as well as the concerns of data protectionists in the blog post Stellungnahmen von ESDA und BfDI zum EU-U.S. Data Privacy Framework. My personal assessment: the EU Commission will formally announce the adequacy decision, "industry, public authorities and U.S. cloud providers" will cheer, but the organization noyb will file a lawsuit against the agreement before the ECJ. And then I see the probability as quite high that this third data protection agreement between the EU and the US will also fail, and everything will be put "back to square one".
