On November 4, 2024, the European Data Protection Board (EDPB) released its first report on the periodic review of the Data Privacy Framework (DPF), the new agreement governing the transfer of personal data between the European Union and the United States. This framework, adopted by the European Commission on July 10, 2023, represents an attempt to address the concerns raised by the European Court of Justice in the Schrems I and Schrems II rulings, which had invalidated the previous Safe Harbor and Privacy Shield agreements.
Commercial aspects of the DPF
On the commercial implementation front, the U.S. Department of Commerce demonstrated a significant commitment during the framework’s first year of operation: at the time of the review, over 2,800 organizations were actively certified under the DPF, while more than 1,100 had withdrawn, and 2,600 were listed as inactive due to non-renewal of certification. This situation raised questions about how inactive organizations manage personal data, given that the framework requires them to specify whether the data received are returned, deleted, or retained, with the obligation to continue applying DPF principles in the latter case.
The EDPB highlighted that the Independent Recourse Mechanisms (IRM) received a surprisingly low number of admissible complaints in the first year, with only nine cases recorded, mainly related to requests for deletion or access to data. This low complaint activity, combined with the lack of substantial proactive compliance checks, led the EDPB to call for enhanced proactive monitoring by U.S. authorities.
The issue of HR data continues to represent a significant point of divergence between European and American interpretations: while the U.S. Department of Commerce has traditionally limited the definition of “HR data” to the processing of employee data within the same corporate group, the EDPB advocates for a broader interpretation that includes any personal data relating to an employee in the context of an employment relationship, regardless of whether the transfer occurs within a corporate group or to a different business operator.
Governmental access to data
A key aspect of the review involved implementing Executive Order (EO) 14086, which introduces important safeguards for access to data by U.S. public authorities. The EDPB acknowledged the updates to the internal policies of intelligence agencies to incorporate principles of necessity and proportionality while emphasizing the importance of closely monitoring their practical application through concrete examples in future reviews.
The recent reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA) through the Reform Intelligence And Securing America Act (RISAA) introduced significant changes, including an expansion of the definition of “electronic communication service provider.” According to U.S. authorities, this change aims to include a specific category of previously excluded companies, but its broad wording has raised concerns about the potential extension of surveillance.
A significant advancement is the establishment of the Data Protection Review Court (DPRC), with the appointment of eight judges and two special advocates. However, as of the review, no complaints had been filed through this new redress mechanism, making it impossible to assess its practical effectiveness; the annual review of the mechanism by the Privacy And Civil Liberties Oversight Board (PCLOB) is still pending.
New challenges and future prospects
An emerging issue of particular relevance involves U.S. intelligence agencies’ acquisition of personal data from commercial brokers, a practice not covered by the safeguards of EO 14086. This phenomenon requires careful assessment of its impact on data protection and close monitoring of usage practices, potentially followed by specific regulatory interventions.
Looking ahead, the EDPB recommended that the next review occur within three years instead of four, to allow a timely assessment of the effectiveness of compliance checks and practical experience in handling complaints. Special attention should be paid to developments related to Section 702 FISA, whose next reauthorization is expected in two years.
For organizations using the DPF, these conclusions suggest the importance of preparing for more rigorous compliance checks and paying particular attention to downstream data transfer practices and HR data handling.
Conclusion
The first review of the Data Privacy Framework highlights a familiar dynamic for those involved in privacy: the gap between theory and practice in personal data protection. On paper, the framework presents significant improvements over its predecessors, with a formally robust set of safeguards. On the other hand, the numbers tell a different story: thousands of companies abandoning certification, very few complaints filed, a court (the DPRC) still unused.
One wonders if we are witnessing the creation of an increasingly sophisticated legal architecture that is potentially disconnected from the operational reality of businesses and the actual protection needs of data subjects. The true success of the DPF will not be measured on paper but in its ability to become a living, effective tool for protecting fundamental rights in the context of transatlantic data flows: the next review, hopefully in three years, will tell us if this challenge has been met or if we are facing yet another case of “privacy on paper.”
For a more in-depth analysis of regulatory developments in EU-US data transfers, please refer to our previous article on the subject: https://www.lexia.it/2024/09/11/accordi-ue-usa/