Understanding the DPF and the history behind it
In the complex world of data transfer frameworks, 2024 looks set to start on a high note. The much-anticipated EU-US Data Privacy Framework (DPF) has finally been implemented, first in the EU on 10th July 2023, then in the UK on 12th October 2023, after three years of intensive collaboration and work on both sides of the Atlantic. To date, it has been warmly received by businesses throughout the regions for reducing much of the traditional red tape and complication involved in international data transfers. As a result, the US and EU/UK are enjoying seamless data transfer for the first time in a number of years.
However, this period of data transfer bliss may prove to be short lived. Max Schrems, a lawyer and prominent data privacy activist – who successfully had both the DPF’s predecessors (the Safe Harbour Agreement and the Privacy Shield) ruled invalid by the Court of Justice for the European Union (CJEU) in 2015 and 2020 respectively – now has his sights set on the DPF. Given Schrems’ impressive track record, 2024 could prove a pivotal year for transatlantic data privacy legislation. Will Schrems get his hattrick or will it be third time lucky for those behind the DPF?
To understand the controversy surrounding the DPF, it’s important to first understand exactly what it is and the rationale behind its implementation.
As the world becomes increasingly digitised, the volumes of data being shared every day are increasing at an exponential rate. With many countries creating and enforcing their own legislation on data privacy, the act of sharing and transferring data internationally has become harder and harder to navigate from a legal perspective.
The DPF is designed to alleviate this by providing a set of binding rules and safeguards for the transferal of personal data between the EU/UK and the US. If US companies undergo the self-certification process specified in the DPF, they will be officially recognised as a trusted partner by the EU/UK, enabling them to freely exchange information with EU/UK companies as part of a bubble-style system.
As mentioned above, this isn’t the first time that data sharing legislation like this has been implemented. The US and EU’s first attempt at such legislation was the Safe Harbour agreement, which was initially implemented in 2000, but ruled invalid by the CJEU in 2015, following a case brought by Max Schrems (known as Schrems I).
The US and EU’s second attempt was introduced in 2016. Known as Privacy Shield, it was based on the same principles as Safe Harbour, but focused on more individual rights for EU citizens, stricter requirements for U.S. businesses and restricting U.S. government access to personal data. However, in 2020 this too was ruled invalid by the CJEU after another challenge by Max Schrems (Schrems II).
What is driving Max Schrems’ repeated (and successful) legal challenges?
A key recurring theme amongst the legal challenges to Safe Harbour, Privacy Shield and now DPF, is whether or not they go far enough when it comes to protecting the privacy rights of EU citizens. Max Schrems firmly believes they do not, which is why he continues to challenge each new attempt at a universal framework, with the CJEU ruling in his favour each time thus far.
While the DPF’s creators believe that it is sufficiently evolved from its predecessors, Schrems doesn’t agree. Two of his main criticisms are that it still allows for data collection by US intelligence agencies, and it doesn’t address onward transfers of data from the US to third countries. Furthermore, Mr Schrems believes some of the new controls introduced by the DPF, such as the establishment of a Data Protection Review Court, may not meet the standards of independence, transparency, and impartiality required under EU law.
What does the future hold for data sharing frameworks?
Another major showdown in the CJEU looks to be on the horizon, with the fate of the DPF firmly in the balance. But irrespective of the outcome, one thing is clear – the need for efficient data sharing between regions like the EU/UK and the US is becoming more and more critical.
In 2021, 93% of the UK’s services exports were data-enabled, and the UK exported more than £79 billion of these services (about 30% of the UK’s total data-enabled services exports) to the US. Organisations are increasingly reliant on these exchanges and each time a universal framework is ruled invalid, it throws the burden of compliance back onto them, causing significant business issues and delays.
The implementation of the DPF has taken a lot of unnecessary tasks away again, such as making transfer impact assessments every time. Now they just need to go to DPF website and check if a perspective vendor is on the approved list. However, If the DPF is ruled invalid by the CJEU, companies will quickly find themselves back at square one.
While protection of data privacy rights will always be paramount, the digital nature of modern business means companies simply won’t be able to function without some form of universal agreement in place going forward. Whether this is the DPF or one of its future successors remains to be seen, but businesses all over the world will undoubtedly be keeping a very close eye on ‘Schrems III’ when it comes to the CJEU in 2024.
Jakub Lewandowski is Global Data Governance Officer at leading data protection company, Commvault.
