The European Commission delivered its first review of the adequacy decision of the EU-U.S. Data Privacy Framework to the European Parliament and Council of Europe after its first year in force, and ultimately concluded that U.S. authorities "have put in place the necessary structures and procedures to ensure that the Data Privacy Framework functions effectively."
It said under recital 211 of the EU-U.S. DPF adequacy decision, it would conduct its next review of the framework in three years.
DigitalEurope Policy and Legal Counsel Alberto Di Felice, CIPP/E, said the fact the European Commission will re-conduct the review in three years was a significant development in and of itself.
"The level of involvement, the responsibilities taken on by different parties on both sides, and joint action between authorities all indicate strong cooperation," Di Felice said in an email. "A tangible sign of this is the Commission's hinting that the next review will be in three years, as opposed to a shorter yearly cadence that could have been possible."
The review primarily "focused on verifying whether all the constitutive elements of the framework are in place, experience with the practical application of the safeguards applying both to the processing of data by certified companies and to access to data by public authorities," according to the text.
The report recaps a DPF review meeting that took place in Washington, D.C., 18-19 July featuring representatives of the European Commission's Directorate General for Justice and Consumers, the European Data Protection Board and representatives from selected member state data protection authorities. The U.S. featured representatives from the U.S. Department of Commerce, Department of State, Federal Trade Commission, Department of Transportation, the Office of the Director of National Intelligence, the Department of Justice, the Inspector General for the Intelligence Community, as well as members of the Privacy and Civil Liberties Oversight Board.
Ahead of publishing, the Commission also received 40 stakeholder comments between 9 Aug. and 6 Sept. that were incorporated into the report.
The report details the European Commission's evaluation of the steps undertaken on the U.S. to operationalize the DPF, such as U.S. regulators establishing the DPF certification process and data collection reforms undertaken by the intelligence and national security community.
"This was called a joint review, right? But in reality, this is effectively a unilateral inspection by the European Union of the United States to see if it has complied with the commitments made in the Data Privacy Framework, particularly those made relating to national security," Georgetown University Law Center Senior Fellow Kenneth Propp said in an interview.
"At this point, it's a fairly well-established practice for the European Union; they do this for all their adequacy findings and the U.S. has been the subject of joint review procedures before," Propp continued. "It is worth noting that this is really still a pretty unusual thing for one jurisdiction to get this deeply into the activities of another."
Analyzing the first year of the DPF
During the Commission's review meeting with U.S. partners, representatives of the U.S. Department of Commerce said for the "first year of the DPF, the focus has been on putting in place the certification process, including developing dedicated IT tools, updating procedures, engaging with companies, and carrying out other outreach (and) awareness-raising activities."
According to the report, more than 2,800 U.S. companies are DPF certified, as compared to 2,400 companies under the prior trans-Atlantic data sharing agreement, the Privacy Shield. To become certified, U.S. companies must commit to the DPF Principles, declare that commitment publicly, subject themselves to the investigatory jurisdiction of the FTC or DOT, and publicly disclose its privacy policy.
So far under the DPF, the DOC has rejected 33 applications from organizations seeking to join the DPF, according to the report. The DOC is also creating a mechanism to remind organizations to re-certify their DPF credentials.
"Feedback received from trade associations and companies indicates that DPF-certified companies have taken a number of steps to ensure compliance with the DPF Principles," the report states.
In terms of consumer complaints brought under the DPF, the report notes there has been a "very low number" made to partnering companies considered Independent Recourse Mechanisms under the DPF, which include BBB National Programs, JAMS, TRUSTe and VeraSafe. The vast majority of complaints were ineligible. For instance, the report found of the 87 complaints made to BBB National Programs from EU citizens, only two were eligible for resolution via the IRM redress track, according to the report.
Review of US legal developments
The report also highlighted recent legal and regulatory developments in the U.S. as signs of progress that it was committed to ushering the necessary intelligence and national security reforms in order to make the DPF successful.
"(The report) documents that the U.S. has taken really a very substantial number of administrative steps to implement the Data Privacy Framework," Propp said. "Over the past year, there's been a lot of formal processes that's occurred within the intelligence community, within the Justice Department, within the Commerce Department."
Of note, the European Commission applauded the implementation of White House executive order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities, which supplemented reforms made to the U.S. Foreign Intelligence Surveillance Act when it was renewed in April and executive order 12333.
"U.S. authorities have taken further practical steps in the past year to implement (executive order) 14086 in their day-to-day operations," the report states. "In particular, intelligence agencies have put in place further internal policies and guidelines on the application of the (executive order), for instance internal processes to ensure that its necessity and proportionality requirements are complied with in the context of both targeted and bulk collection."
However, one area that stakeholders outlined as an area of concern going forward was the practice of U.S. intelligence and law enforcement agencies purchasing personal data from commercial brokers as a potential end-around of FISA or executive order 14086. Under the DPF's Accountability for Onward Transfers Principle, such data acquisitions are only permissible if the purpose is limited and for a specific purpose, on the basis of an existing contract between a EU-U.S. DPF certified organization and a third party, and if that contract stipulates the same level of protection as an organization bound by the DPF Principles.
"In this respect, it should be recalled that any type of voluntary sharing of data with third parties is subject to several detailed conditions under the DPF," the report states. "A certified organisation cannot share data with a third party (not acting as an agent/processor) without providing notice and choice to the individuals concerned."
The report also credits the work of the FTC conducting enforcement actions against data brokers that sold sensitive consumer data. It cites the examples of recent actions against data brokers X-Mode and Outlogic, which could serve as model cases for DPF accountability.
Data Protection Review Courts not yet utilized
The report notes the progress made in operationalizing the Data Protection Review Court on the U.S. side, which was mandated under executive order 14086. EU citizens seeking redress for how their personal data could be mishandled by U.S. intelligence agencies can file a complaint with an EU member state DPA via the secretariat of the EDPB.
The redress mechanism entails two layers, the first being an investigation carried out by the U.S. ODNI Civil Liberties Protection Officer. The second layer would be an appeal to the DPRC, depending on the ODNI CLPO's ruling. If the appeal is successful or if the ODNI CLPO's rules in favor of the EU citizen, that decision is binding on the U.S. intelligence agency in question.
"That DPRC decisions are binding on intelligence agencies is a key element of the new framework, and the Commission wouldn't have adopted the (adequacy) decision otherwise," DigitalEurope’s Di Felice said. "Obviously, the Commission will be watching closely. It’s also encouraging to see the EDPB's close collaboration with US authorities on operational aspects of complaint handling, which signals confidence in the DPRC's role."
However, to date, no EU member state DPA has received a citizen complaint for redress.
"The Commission's view of this seems to be, 'Well, it's still in the early days,'" Propp said. "Still, these mechanisms are brand new, and need to be given an opportunity to see how they're going to work in practice."
Commission recommendations and next steps
Over the next three years, the Commission's report called for close monitoring of a forthcoming U.S. PCLOB report on the implementation of executive order 14086 across the intelligence and national security apparatus and continued progress in further establishing the DPRC.
Information Technology Industry Council Senior Vice President of Policy and General Counsel John Miller said in the near-interim, the U.S. side should focus on activating the responsibilities of the PCLOB under the DPF and ensuring the DOC develops useful guidelines to help certified organizations remain in compliance.
"It will be important for the Commerce Department and other relevant agencies in the U.S., such as the FTC, to work together to develop common guidance documents, but also for them to work with industry stakeholders and specifically impacted companies," Miller said in an email. "These tools could certainly help provide guidance in complex situations involving onward transfers of such data, for instance."
The Commission will also monitor for the DoC employing more automated tools to ensure more streamlined DPF compliance among certified organizations and to help identify false claims of certification, FTC enforcement of DPF Principles and further collaboration between the DoC, FTC and EU data protection authorities to develop common guidance for key requirements of the DPF, such as provisions governing how HR data is shared between U.S. and EU entities.
"The Commission very much values the very good cooperation with the U.S. authorities to conduct the review," the report states. "While this first review naturally focused on verifying whether all the constitutive elements of the framework are in place, experience with the practical application of the safeguards applying both to the processing of data by certified companies and to access to data by public authorities is necessarily limited after just one year of operation."
One complicating matter involving the future of the EU-U.S. DPF could be the outcome of the 2024 U.S. Presidential election. As Propp noted in an article for The Atlantic Council, a change in administrations could result in the U.S. reneging on some of its commitments made under the DPF. Propp referenced Trump administration officials who co-authored the Heritage Foundation's Project 2025, and how they may be inclined to forgo any further reforms if the DPF is later overturned in a future Court of Justice of the European Union decision like its prior incarnations, the Safe Harbor and Privacy Shield.
"If there were to be a change in administration, it's conceivable that they would look critically at the DPF," Propp said. "Obviously, any change to it would have a significant effect on trans-Atlantic data transfers, whereas a cautious administration might not go in that direction."
Miller said he was more confident that there would not be as much of a change in policy if the control of the White House were to change hands.
"I do not believe the election will impact the U.S. support for or continued implementation of its commitments pursuant to the DPF," Miller said. "The 'Schrems II' decision occurred during the first Trump administration, and officials at the Commerce Department and other relevant agencies prioritized working on a successor agreement to address the concerns raised by the CJEU in that decision almost immediately. When we transitioned to the Biden administration in January 2021, Biden administration officials obviously also prioritized getting a deal done."
Di Felice echoed the confidence that the U.S. election would not have a significant impact on the U.S. government's obligations under the DPF.
"The chances that the U.S. would 'back away' in any real sense, irrespective of which administration, are very remote,” Di Felice said. "It's completely logical that the Commission will be looking at any political shifts from a new administration. Deterrence is very strong here, because of the political and economic significance of the framework on both sides."
Alex LaCasse is staff writer at the IAPP
