The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding it ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU.

But even as its finalization was announced Monday, the new framework, which enters into force 11 July, is poised to face a legal challenge.

"Personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations," European Commissioner for Justice Didier Reynders said during a press conference Monday. "The adequacy decision ensures that data can be transmitted between the European Union and the U.S. on the basis of a stable and trusted arrangement that protects individuals and provides legal certainty to companies."

The deal comes just days after the U.S. Department of Justice and the U.S. Office of the Director of National Intelligence announced the completion of commitments under President Joe Biden's executive order concerning the framework. Twenty-four EU member states — representing a population of more than 424 million — voted 7 July in favor of the DPF while three unnamed member states abstained.

The U.S. International Trade Administration launched a Data Privacy Framework website that includes information on self-certification, participating organizations, enforcement and more.

A welcomed decision

A press release published by the European Commission said the "EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by U.S. intelligence services to what is necessary and proportionate and establishing a Data Protection Review Court."

Reynders said the framework "clearly" spells out necessity and proportionality requirements and "enforceable safeguards" with a "user friendly" redress mechanism. The new Data Protection Review Court will have the power to order deletion of data if it is found to be collected in violation of the new safeguards, he noted. And Europeans will be able to lodge complaints free of charge, before their local data protection authority, without having to demonstrate that their data has been accessed by U.S. intelligence agencies, an improvement he called "important and crucial to ensure effective access to redress, which is sacred."

European Commission President Ursula von der Leyen said the new framework "will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic." The U.S., she said, "has implemented unprecedented commitments to establish the new framework."

Under the U.S. commitments, EU member states along with Iceland, Liechtenstein and Norway are "qualifying states," and citizens will be able to file for redress through the Data Protection Review Court while obtaining enhanced U.S. privacy protections.

American University Washington College of Law Scholar-in-Residence and Adjunct Professor Alexander Joel, CIPP/G, CIPP/US, said the U.S. took "unprecedented steps" to address issues raised by the CJEU. Joel, former chief of the office of civil liberties within the Office of the Director of National Intelligence said, "when read in light of U.S. law and legal traditions, the new executive order provides ample grounds for the CJEU to find that the U.S. provides protections that are essentially equivalent to those laid out in EU law."

The European Data Protection Board will be developing "an information note for stakeholders on the implications of the DPF" in the coming weeks, Chair Anu Talus said.

The EDPB "looks forward to the European Commission participation in its next plenary meeting, where it will shed light on the final text of the adequacy decision and on the changes following the EDPB opinion," she said.

'Schrems III' upcoming

The EU-U.S. Data Privacy Framework replaces the EU-U.S. Privacy Shield, which was invalidated by the European Court of Justice in July 2020. Since then, Reynders said it's been "a matter of top priority" for the commission to restore stable and continuous protection of European data crossing the Atlantic.

While Reynders said the framework is "substantially different than the EU-U.S. Privacy Shield," privacy advocacy organization NOYB, which legally challenged the Privacy Shield and its predecessor the Safe Harbor Framework, said it is "largely a copy."

NOYB indicated it will appeal the framework, noting the "third attempt of the European Commission to get a stable agreement on EU-U.S. data transfers will likely be back at the Court of Justice (of the European Union) in a matter of months." The organization said the U.S. did not address "fundamental" surveillance issues.

"They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission's problem," said NOYB Honorary Chair Max Schrems. "We now had 'Harbors,' 'Umbrellas,' 'Shields' and 'Frameworks' — but no substantial change in US surveillance law. … Just announcing that something is 'new,' 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work — and we simply don't have it."

Reynders responded to NOYB's announcement during Monday's press conference, saying the new system should be tested before announcing a legal challenge.

"I'm sure that we have very robust arguments to show that we now have a very different system than what we have had with Safe Harbor and also with the Privacy Shield," he said. "We are very confident to not only implement such an agreement, but to defend such an agreement in all the different procedures that we will have to face. Again, it's just a proposal, but why not test the new system before going too far in criticism of such a system."

Joel said how well the framework will fare before the CJEU is "of course, the million-dollar question."

"What is evident now is that, within the next couple of years, the CJEU is likely to rule on whether the EU-U.S. Data Privacy Framework provides essentially equivalent safeguards to those required by EU law. In the meantime, the adequacy decision should enable data flows to continue, including through mechanisms such as (standard contractual clauses) and (binding corporate rules)."

As the adequacy decision is finalized and ensuing litigation unfolds, Joel said he is "hopeful" that if particular concerns take shape "there will be room to figure out how to address them, through greater transparency and mutual understanding, or even policy changes."

But what happens if U.S. protections within the new framework are not enough to stand up to legal challenges?

"Well, as lawyers like to say, it depends. If the Court makes a determination that is fundamentally inconsistent with the Supreme Court's rulings on standing and thus would require an amendment to the Constitution, then I think we will be faced with a potentially insoluble crisis," he said. "I have heard European friends and colleagues say that amending EU law, — e.g. (the General Data Protection Regulation) — to help resolve these kinds of data flow challenges is simply off the table. Along those lines, I think U.S. experts would be unanimous in saying that amending the Constitution would be off the planet."