Romain Deslorieux | Director, Strategic Partnerships | Thales
On 10 July 2023, the European Commission adopted a new adequacy decision regarding the Data Privacy Framework (“DPF”). This follows the invalidation of the EU-US Privacy Shield, by the Court of Justice of the European Union on 16 July 2020. That decision of adequacy provides in substance that there is an adequate level of protection—comparable to that in the EU—for personal data transferred from the EU to US companies that are participating in the DPF.
Many articles and blogs portray the adequacy decision as finally allowing free personal data flow between the EU and US companies, without the implementation of additional data protection safeguards.
But does it really? Companies seeking to invoke the DPF as a legal instrument to transfer personal data to the US still need to run a full impact assessment to understand its benefits and possible limitations.
Understanding the Limitations of the Data Protection Framework (“DPF”)
The DPF is good news for privacy and the protection of personal data: it enables US companies to obtain a preliminary self-certification from the US authorities to adhere to the DPF provided they provide evidence of the implementation of certain legal safeguards.
However, European organizations need to dive with eyes wide open when transferring personal data to the US under the DPF. Here are some elements to consider.
Scope of application
The first important point to bear in mind is that the DPF only applies to registered organizations that must be US companies. So European companies cannot register to the DPF for instance to export data. The Data Privacy Framework is not automatic for American organizations or subsidiaries of EU businesses operating in the US.
Indeed, the DPF states: ““U.S. organizations that are subject to the jurisdiction of either the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT) may participate in the DPF program”.
Industry limitations
The DPF is not available across all industries: only those regulated at a federal level under the FTC or DOT may self-certify. As stated by the International Association of Privacy Professional (IAPP) critical sectors such as financial services are therefore conspicuously excluded, leaving organizations without a clear pathway to data protection compliance and potentially exposing them to significant risks.
Ineffective cloud certifications
Although major US cloud service providers have self-certified under the DPF, it is crucial to understand that this certification does not extend to the data of clients stored within their services as explicitly mentioned in the Privacy Notices submitted by major cloud service providers. Consequently, European organizations may not leverage or rely on the self-certification of their major cloud service providers. This nuance is a critical aspect of the cloud responsibility model, reminding organizations that they bear the ultimate responsibility for securing their data, regardless of where it resides.
Geographical constraints
The DPF only impacts the flow of European personal data into the US. This geographical limitation means that data protection practices for organizations outside of these areas are not addressed by this framework, creating potential security and privacy vulnerabilities. This is especially challenging for multi-national organizations with operations in multiple countries.
Regulatory complexity
While the DPF may address certain requirements of “data transfers” from GDPR (Article 45), other regulations, such as the Digital Operational Resilience Act (“DORA”) and the Network and Information Security Directive (“NIS2”), are not covered by the DPF and further require organizations to protect sensitive data, especially when processed in cloud service. Other regulations than the DPF may also require supplementary measures be taken to protect the privacy and integrity of sensitive data.
Data Protection Framework’s Uncertain Future
In addition to the limitations listed above, organizations also need to be mindful of the uncertainties relative to the fact that the DPF emanated from two executive bodies of the EU (an European Commission decision) and the US (an executive order by the President). This, and the fact that the challenges posed by the previously invalidated Privacy Shield remain, presage an unstable future for the DPF.
The persistence of FISA 702
One of the main points of concern of the DPF is that the Foreign Intelligence Surveillance Act (FISA) 702 rules continue to permit extensive surveillance practices by the US government/agencies. These rules, origin of the invalidation of Safe Harbour and Privacy Shield, stand in stark contrast to the privacy-centric values promoted by GDPR and can potentially undermine the credibility and effectiveness of the DPF.
Dependence on an executive order
In the US, the foundation of the DPF rests on an executive order by the president. It is not based on a change of the fundamental laws of the USA (Act by congress or Supreme Court decision). This dependence introduces an element of fragility, as a change in administration or policy could lead to the revocation of the framework without the need for congressional approval.
The European Parliament’s stance
The instability mentioned about the US executive order may similarly apply to the adequacy decision by the European Commission.
In May 2023, the European Parliament voted a resolution (2023/2501) on the DPF. In particular, the EU Parliament “concludes that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection”. While this vote is non-binding and did not stop the adequacy decision, this opinion from no less than the EU Parliament itself, reflects broader concerns within the EU about data privacy and the effectiveness of transatlantic data protection mechanisms.
The European Data Protection Board (EDPB) ’s stance
In February 2023, the EDPB, the overall data protection supervisory authority in Europe, issued an opinion paper (5/2023) on the DPF, stating in essence that besides progress made, “the EDPB notes that some issues of concern previously raised in relation to the Privacy Shield principles remain valid.”
Legal challenges launched
The DPF already faces legal challenges in EU courts. Groups, such as Max Schrems’ NOYB, have expressed their concerns, especially that “the fundamental problem with FISA 702 was not addressed”. Lawmakers have already filed challenges with the European Court of Justice. If successful, these suits could lead to the invalidation of the DPF and a return to the status quo we had before the adequacy decision.
Hope for the Best, Prepare for the Worst
The Data Privacy Framework between the EU and the US represents a critical step towards safeguarding data in an interconnected world. However, its limitations and vulnerabilities require careful navigation. Ultimately, organizations should consider their digital sovereignty: their ability to maintain full control over their digital destiny – the data, hardware and software that they rely on to run their business.
To achieve digital sovereignty, here are a few essential recommendations:
- Perform a risk assessment
- Protect sensitive data throughout its life cycle
- Enforce separation of duties
- Automate data security governance
Download our Digital Sovereignty eBook to understand how Thales can help organizations achieve digital sovereignty.
Discover here how Thales CipherTrust Data Security Platform helps organizations discover and protect their data with state of the art encryption, and maintain their sovereignty posture with automated and centralised key and policy management.