The EU-US Data Privacy Framework (DPF) which was adopted on 10 July 2023 (see our article here) has already been challenged (and no, not by Schrems!). On 6 September 2023, before the DPF had its two-month anniversary, a member of the French Parliament (Philippe Latombe) filed two challenges; one to suspend the agreement immediately and another on the content of the agreement.
Amongst other things, concerns are raised over “the lack of sufficient guarantees for an effective remedy in relation to the protection of personal data and over US mass surveillance” – sound familiar?
Previous adequacy decisions
The DPF is the third adequacy decision covering data transfers from data exporters in the EU to the US, as its predecessors, the Safe Harbour Agreement and Privacy Shield were both invalidated – the Safe Harbour Agreement spanned from 2000 – 2015 and the Privacy Shield was introduced in 2016 and was subsequently invalidated in 2020.
The challenges to both the Safe Harbour Agreement and the Privacy Shield were brought by Max Schrems (an Austrian privacy activist) and in both cases, the CJEU found that potential for US government "bulk" surveillance of EU data subjects whose personal data had been transferred to the US was incompatible with EU law.
Why did the EU Commission sanction the DPF?
Prior to the EU Commission adopting the adequacy decision, certain policies/regulations were adopted in the US, namely an Executive Order on "Enhancing Safeguards for United States Signals Intelligence Activities" by US and a Regulation issued by the US Attorney General. These aimed to address the points raised in the second Schrems case (which invalidated the Privacy Shield).
Whilst the EU Commission appeared satisfied with the measures taken by the US, prior to the challenge lodged by Latcombe, Schrems already noted they were inadequate, so we were anticipating a challenge.
What does this challenge mean for businesses?
One benefit of an early challenge is that many companies may not yet have adapted their approach to transferring data from the EU to the US based on the adequacy decision and are likely to be reliant on the Standard Contractual Clauses or other appropriate safeguard to effect a compliant transfer. Therefore, the challenge to the adequacy decision may not have a significant impact on businesses that are relying on other safeguards for now.
Those business that have already made changes to their international data transfer approach following the adequacy decision may want to consider either reverting to their previous method (for example the Standard Contractual Clauses if not retained in place), or keeping a close eye on developments to ensure compliant transfers.
Of course, the UK does not benefit from the DPF adequacy decision and therefore for the purposes of UK GDPR other safeguards such as the new EU Standard Contractual Clauses (together with ICO UK Addendum), the UK International Data Transfer Agreement, or Binding Corporate Rules may be more appropriate.
Guy Cartwright
Jessica Gregson