The European Commission and the European Data Protection Board (“EDPB”) have recently published reports on the first year of implementation of the new EU–U.S. Data Privacy Framework (“DPF”). These reports analyze the application of data protection mechanisms in cross-border transfers between the EU and the U.S., as well as ongoing challenges.
While the European Commission highlights significant progress, the EDPB points to issues requiring further attention. These reports represent an important step in assessing the sustainability and future of the DPF.
What is the DPF and what are its innovations?
The new legal framework for personal data transfers between the EU and the U.S., established by European Commission Decision No. C(2023) 4745 of July 10, 2023 (“Decision”), enables data transfers without additional safeguards, based on the assessment that the U.S. ensures an adequate level of protection. This Decision marks the third attempt to establish a data transfer mechanism between the EU and the U.S., following the invalidation of previous frameworks – the Privacy Shield and Safe Harbor – by the European Court of Justice in the Schrems I and Schrems II rulings due to insufficient safeguards.
Key innovations introduced by the DPF include limiting U.S. intelligence agencies’ access to EU data to what is necessary and proportionate, and the establishment of the Data Protection Review Court, where EU citizens can lodge complaints. U.S. companies participating in the framework through certification are required to comply with strict obligations, such as deleting data when it is no longer needed and ensuring continued protection when sharing data with third parties.
More details on the mechanisms of this new legal framework for personal data transfers between the EU and the U.S. can be found in one of our previous articles, available here.
European Commission Report: First Assessment of the DPF’s Effectiveness
The European Commission has recently submitted a report to the European Parliament and the Council of Europe on the implementation of the DPF. The report concludes that U.S. authorities have established the necessary structures and procedures for the DPF to operate effectively, marking a significant step in strengthening transatlantic data protection cooperation.
In its analysis, the European Commission evaluated whether all key elements of the DPF have been implemented and assessed how certified companies apply its data protection mechanisms. The report finds that U.S. regulatory authorities have established a certification process, with over 2,800 U.S. companies certified under the DPF to date—a significant increase compared to the previous Privacy Shield framework. During the first year of implementation, only 33 certification requests were denied, and a mechanism has been introduced to remind organizations of their re-certification obligations.
The report highlights the legal and regulatory changes in the U.S., including administrative steps within intelligence agencies and the Department of Justice, which enable more efficient implementation of the DPF. However, concerns remain about the practice of U.S. intelligence agencies purchasing personal data from commercial brokers, which could circumvent the obligations set by the DPF.
The report also addresses progress in establishing the Data Protection Review Court, which remains in its early stages. While the court is designed to allow EU citizens to lodge complaints against the handling of their personal data by U.S. intelligence agencies, the number of complaints submitted so far is low. This may indicate a lack of awareness among citizens about the court’s existence or the process for filing complaints, underscoring the importance of continued public education and information dissemination about this mechanism.
The European Commission concluded that, despite challenges, the first year of the DPF’s implementation has achieved significant progress in transatlantic data protection. It emphasized that continued EU-U.S. cooperation remains crucial for the stability and development of this data protection mechanism.
European Data Protection Board Report: Challenges in Implementation and Recommendations for Improvement
Shortly after the European Commission’s submission, the EDPB adopted its report on the first review of the DPF, focusing on its key aspects. The report acknowledges the efforts of U.S. authorities and the European Commission in implementing the framework but also identifies specific challenges in its application.
Regarding commercial aspects, the EDPB commended the U.S. Department of Commerce for developing a certification process, updating procedures, educating companies, and raising awareness about the DPF.
On government access to personal data, the EDPB analyzed the enforcement of safeguards such as the principles of necessity and proportionality, along with mechanisms to protect citizens’ rights. It called on the European Commission to continue monitoring these areas closely, particularly in light of legislative developments in the U.S., such as amendments to the Foreign Intelligence Surveillance Act.
The EDPB also considered recommendations concerning access to retained data for law enforcement purposes. It warned against the risk of infringing fundamental rights, particularly the right to privacy, due to overly broad data retention requests by authorities. The Board emphasized that such measures must adhere to the principles of necessity and proportionality, as outlined in the EU Charter of Fundamental Rights and the jurisprudence of the Court of Justice of the European Union.
Additionally, the EDPB highlighted the importance of preserving encryption security and rejected proposals that could weaken its effectiveness, such as enabling remote access to unencrypted data. It concluded that maintaining trust in technology, while respecting privacy and freedom of expression, is critical for the continued growth of the digital economy.
The EDPB report stresses the need for ongoing monitoring of the DPF’s implementation and recommends that the next review be conducted within three years. These conclusions underscore the importance of balancing privacy protection with effective law enforcement in transatlantic cooperation.
The Future of the DPF: Next Steps in Strengthening Cooperation and Privacy Protection
Although the first year of implementing the EU-US Data Protection Framework (DPF) has made significant progress in aligning US regulatory bodies with European data protection standards, the future of this legal framework remains uncertain. The further development of its application and EU-US cooperation will depend on political changes, particularly in light of the recent presidential elections in the US, which brought a change in administration.
The key to the success of further development and proper implementation of the DPF lies in continuous monitoring of the protective measures’ implementation and ensuring that US authorities maintain high standards of data protection. The European Union must continue to exert pressure on the US to fully safeguard citizens’ rights, enabling the long-term success of this framework.
In this context, further improvements in the data protection system and strengthening the DPF through new regulatory initiatives and alignment with technological advancements will be crucial.
These changes should ensure a balance between the freedom of data transfer and privacy protection, providing a secure framework for future transatlantic relations.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
By Sonja Stojcic, Senior Associate, PR Legal
