The Blog

The Data Privacy Framework: the new mechanism for transferring personal data

Cyber news
September 12, 2023

On July 10, 2023, the European Commission adopted its adequacy decision concerning the EU-US data protection framework. The decision concludes that the US ensures an adequate level of protection - comparable to that of the EU - for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow securely from the EU to US companies participating in the framework, without the need for additional data protection safeguards.

In this blog post, a summary of the Olfeo podcast on the Data Privacy Framework, in collaboration with Richard Montbeyre, Internet lawyer and DPO, we look back at the origins and history of this agreement and its previous versions, while discussing the legal and business impact on the use of US SaaS applications.

The Data Privacy Framework is the 3rd attempt to establish a legal agreement on the circulation of personal data between the USA and Europe. How did this come about?

Since 2000, when the first iteration of this agreement, known as Safe Harbour, was put in place, the history of transfers between the European Union and the United States has been something of a thwarted partnership, dating back to Edward Snowden's revelations in 2013. In June 2013, the European Union and the rest of the world realized that the United States had developed massive electronic surveillance practices using access to European data, notably through well-known American service providers.
Since these revelations, which shook the entire world, the pendulum has swung back and forth between the desire to maintain an economic, strategic and commercial partnership between the United States and Europe, and the rules, which are still not very compatible between Europe and the United States on national security, fundamental freedoms and very different ways of proceeding.
On five occasions, we've gone from authorizing the transfer of data from Europe to the United States to a virtual ban. In 2000, the U.S. Department of Commerce and the European Commission signed what was then known as the Safe Harbor agreement, which authorized transfers as long as U.S. organizations registered on a list on the Internet and thus certified that they would respect European law, including in the United States.
In 2013, the Snowden affair, the Prism scandal. And so, two years later, the Court of Justice of the European Union, at the instigation of a figure who has since become very well known, Maximilian Schrems, at the time an Austrian law student, launched an action against Facebook on the grounds that Facebook was transferring data to the United States unlawfully. And the Safe Harbor was cancelled the year after in 2016. Given this desire to maintain a strategic partnership, in 2016 the European Commission and the Department of Commerce adopt the Privacy Shield, which closely resembles Safe Harbor. Four years pass. The same Maximilian Schrems returns to the Court of Justice in July 2020. The Privacy Shield is annulled, and so we find ourselves once again with a situation where transfers to the United States are significantly more difficult to implement.
And in 2023, the same players are at it again. The European Commission and the U.S. Department of Commerce set up a third partnership, which is very similar to the two previous ones, called the DPF, the Data Privacy Framework, and which enables companies registering on a list on a website, as was the case for the Privacy Shield symbol, to legitimize their transfer to the United States.

So, in effect, major instability and legal uncertainty for companies using American SaaS software. How does this relate to the application of the RGPD in Europe?

On the rules applicable to transfers, the RGPD has changed almost nothing. It took over the pre-existing rules, and indeed transfers were possible to the United States, then prohibited, then possible again before the RGPD. In fact, what happened after the RGPD on transfers is that we once again sought to confront rules of European law and rules of American law on subjects that go beyond the RGPD. In fact, we're talking about the balance between the protection of freedoms, the protection of privacy and practices of state surveillance and access to data for national security purposes. And so the RGPD, what it's done is it's dramatized the situation because it's increased the penalties.
This is the game being played out between players who are now well known and therefore in a context that can easily be likened to the geopolitical context. What facilitated the conclusion of the Data Privacy Framework and the renewed partnership between Europe and the United States was clearly the geopolitical context and what happened in Ukraine. Decisions are also political, not just legal.

Which tools are really covered by this agreement? Are they products hosted in the United States? Products hosted in Europe? Tools based on American technologies but hosted in Europe?

It's not just a question of locating servers. Nor is it a question of the obligation to localize data on a European server. Finally, it's not a question of the nationality of the supplier.
As soon as a company or an individual is subject to American law, either because it is an American resident, or because it has a subsidiary in the United States, or because it has operations in the United States, it becomes subject to American law in the same way as someone who is in Europe, who has a subsidiary in Europe or who has operations in Europe would be subject to European law. It's not just a question of where the servers are located, or whether the supplier with whom I'm signing the contract is an American company. In fact, it could also be a French subsidiary of an American company.
The real question is whether the data of European citizens or residents will be accessible remotely or on site by people subject to American law. Because when this is the case, there is what is known as the Cloud Act, which makes American law applicable beyond American territory. All products and services covered by this assumption are affected.

When it comes to the cloud, for example, as soon as there is a need for maintenance, updating, incident resolution or support, it's clear that it's complicated to maintain cloud hosting while totally depriving the main service provider or support partner of access to the data.
So when choosing a service, you need to consider all aspects of the service, not just the server on which the environment will be hosted, because otherwise you're not being complete in your risk analysis.

If today a company would like to use a solution that, with the ambition of having a 100% sovereign solution or at least not subject to the Cloud Act. What are the boxes to tick for such a solution?

In fact, it's quite simple: any company subject to U.S. law must be totally excluded from the provision of the service. This means that we are entering into schemes where solutions, whether cloud-based or not, are containerized in a purely European environment, where no function, accessory or service is handled by a player subject to American law.

This is complicated by the fact that the Americans have developed services and offers that are relatively indispensable, at least for certain activities.

On July 10, the situation was reversed, as the use of US SaaS solutions was once again "authorized".

It's a reversal, since we're returning to the previous state of the law, to the Privacy Shield in a way. This doesn't mean that we can use solutions without any conditions or precautions, whether they be American or of another origin. We're no longer dealing with a ban, but with conditional authorization.
We have to make sure that the way the service is provided does not give access to data to people who have no reason to be authorized. We need to ensure general compliance with the RGPD, so on user information, on respect for their rights, on limited data retention periods. All this, of course, is moreover decorrelated from transfers, it must be provided and respected as part of the use of services. Without going into too much detail, what happened on July 10 was that we reinstated the possibility of registering on a Privacy Shield-type list.

The RGPD must apply whether or not there is a transfer. So it's true that this puts companies in a somewhat complicated situation. I have two examples that come to mind. Meta was fined 1.2 billion euros a few months ago, the largest fine ever imposed by the European data protection authorities. Since July 10, this fine would probably not be necessary today.
Another troubling example concerns the use of Google Analytics to analyze user navigation on a website and display targeted advertising based on the use of cookie trackers. Many European companies stopped using Google Analytics because the conditions under which it could be used had become too complex, and so switched to other, supposedly more compliant tools. Today, since July 10, I can't see what's stopping companies from using Google Analytics again in its standard version. So it's clear that companies are in a situation where they are obliged to assume a share of the risk, which they have to measure out, which they have to understand, which they have to control, because their business didn't suddenly stop when the Privacy Shield was cancelled, and it's not going to start all over again from scratch the day the Data Privacy Framework was adopted.

And so you have to be able to navigate through this kind of regulatory storm and keep a certain course, and manage to measure out the risk for each supplier you use, and say to yourself: here's this new supplier, here's the trust I have in him, here's the level of compliance I recognize in him. To what extent does it change my risk exposure vis-à-vis my own customers, vis-à-vis a supervisory authority, vis-à-vis my decision-making and internal control bodies? It's a real balancing act. In fact, it's not an exercise in 100% or 0%. We're always in a rather turbulent zone.

How likely is it that this new start will also be invalidated by Schrems or someone else?

Admittedly, this new scheme is very similar in its main features to the two previous ones. So it's hard to imagine that it will be completely immune to the same criticisms as the previous ones, and therefore that it won't end in the same way, even if some improvements have been made.
What is certain is that this shows one thing, and that is that Europe and the United States want to maintain a partnership on many levels. And so these repeated cancellations are causing real concern and unrest among organizations and companies.

What's more, it's not out of the question for us to fall back into the same situation as before. And so, at some point, we may well ask ourselves whether there isn't a degree of madness in taking the same measures again. If Europe and the United States have the will, recognized by the organizations in charge, i.e. the executives and parliaments on both sides, to move forward together, what's to stop Europe and the United States signing an international treaty and recognizing, once and for all, that transfers can take place?
In which case, it would escape the jurisdiction of the Court of Justice of the European Union. I'm not saying this is what data protection organizations want. I don't know if it's what everyone wants, but there's something a bit ridiculous about struggling, cancelling and then starting again. It's these measures that waste a lot of everyone's time, rather than working on real compliance and rather than looking at how we can really protect people's privacy. So I think an international treaty would be a legal way out of this transfer madness.

You work for a company, and you're expected to purchase a variety of software to run your business. The question is, should you make your choices according to the legal framework of the day between the USA and the European Commission? Or should you try to remain independent and use common sense instead, looking at the constraints and trade-offs necessary for your business to run smoothly?

It's a bit of all of the above. Obviously, I think the most important thing for a company is to have the tools, the instruments, the means and the resources that enable it to fulfill its function, to carry out its activity, and therefore to comply with the applicable law. It's essential, and a source of risk if it isn't, so it must be part of the decision-making process. But compliance with the law is a condition. It's not the reason to call in a supplier. Some people make decisions on the basis of a single criterion, or two or three, and say so clearly. It's clear that in this area, there are many criteria. There's one we haven't mentioned, although we've talked a lot about politics, geopolitics and international relations. This is the fact that the Data Privacy Framework, i.e. the mechanism that has just been adopted, is legally based on the European Commission's assessment that the executive order limiting US surveillance practices, which was signed by President Biden last October, is in place and effective.

The American elections are just over a year away. We're talking about what might be called an Executive Order. And so it's not too difficult to imagine, without resorting to political fiction, that if the presidential majority were to change in the United States in a year's time, this type of decision, the purpose of which is to reduce the powers of the American national security protection authorities in favor of Europeans, could be modified, or even cancelled or retracted.
And in such cases, once again, it's not completely unimaginable that the European Commission, when it comes to reassessing the effectiveness of the DPF, will realize that the deal has not been honored after all. And so I think that this should encourage both caution, and not to imagine that things have been settled once and for all, because we've clearly seen that this is not the case, and also a certain form of serenity in the sense that we know that the Europe-US partnership will persist. We are well aware that measures will be taken on both sides to ensure that we can continue to work together under certain conditions.