The European Commission adopted a new system for EU-US personal data transfers, the Data Privacy Framework (DPF), on 10 July 2023. Its enactment, the "adequacy decision", is set to replace the invalidated Privacy Shield after it faced heavy criticism in the Schrems ll ruling. This will be the third attempt to devise an adequate method to protect personal data transfers from companies in the EU to the US, and we are yet to see any improvement in practice.
On the other hand, the Serbian Data Protection Adequate list formally enlisted the US as a safe place to transfer data without any safeguarding mechanism needed for all this time post-Schrems II, though the advice of the Serbian Data Protection Commissioner (the "Commissioner") was to conclude Serbian Standard Contractual Clauses and continue with transfers to the US.
The Privacy Shield
To emphasise the development of the new framework in protecting personal data, the content of the previous Privacy Shield will be outlined and a point of comparison made. A legal mechanism used since 2016 as a basis for the transfer of personal data from the EU to the US, the Privacy Shield was abolished by the decision of the CJEU in July 2020, when the decision of the European Commission 2016/1250 on the EU-US Privacy Shield arrangement was declared invalid. The main reasons for invalidating the Privacy Shield include:
- shortcomings in the US laws;
- the lack of adequate protection against the wide scope of surveillance; and
- the inability for data subject rights to be actionable before the courts against US authorities.
Not only were subjects not allowed to exercise rights before an independent body, but the Privacy Shield also did not provide guarantees equivalent to those requested by the EU regulations. This included independence in work, and legal force given to decisions that would be binding upon the US intelligence services. Consequently, the Data Privacy Framework primarily seeks to limit the ability of US agencies to access large amounts of personal data transferred from the EU and meet the minimum standards of the rule of law, thereby improving the shortcomings in the previous Privacy Shield.
The Data Privacy Framework
Whether the DPF has fulfilled the objectives listed in the paragraph above can be assessed by looking at its contents. The DPF introduces new binding safeguards, which seek to correct the reasons for which the CJEU abolished the Privacy Shield in the first place. These include access to EU data by the US intelligence services only to the extent that is necessary and proportionate. In addition, a Data Protection Review Court is established to which EU individuals will have access. If this court establishes that data were collected contrary to the new safeguards, the data may be deleted. Moreover, according to the new mechanism, US companies (as data recipients) will have access to the data upon certification, i.e. by undertaking to abide by a series of rules and obligations established thereunder, such as the obligation to delete data once they become obsolete, as well as to ensure continuous protection of data shared with third parties.
Lastly, the functioning of the EU-US Data Privacy Framework will be subject to periodic reviews by the European Commission together with representatives of European data protection authorities and competent US authorities. The first review will take place within a year of the entry into force of the adequacy decision to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively.
The DPF does not validate all data transfers to the US. Only US companies that have undergone a certification process under the DPF will be able to import personal data from the EU and EEA without the need to rely on alternative data transfer mechanisms. The certification process will be performed by the US Department of Commerce, while organisations already certified to the Privacy Shield will have to update their privacy policies to account for the DPF in the upcoming three months. The US Department of Commerce will maintain a list of certified organisations, which will serve to demonstrate that an organisation can receive personal data based on the DPF from the date it is placed on the list.
Therefore, the DPF ensures the US is now at an adequate level of personal data protection, essentially equivalent to that of the EU. This means that personal data can now flow freely from the EU to US companies participating in the DPF, without the need to implement additional safeguards such as standard contractual clauses or binding corporate rules.
Implementation in Serbia
When it comes to transferring personal data between Serbia and the US, the Decision on the List of countries, parts of their territories, one or several sectors of certain activities in such countries and international organisations which are deemed to have adequate level of personal data protection (Off. Gazette of RS no. 55/2019) (the "Decision") established that the transfer of personal data from Serbia to the US is limited to the "Privacy Shield framework". However, even though the Privacy Shield was invalidated in 2020, the stated decision has not been amended accordingly. The Commissioner did encourage transfers by signing the Serbian Standard Contractual Clause. Thus, it remains to be seen what stance the Commissioner will take, though in view of the Decision, Serbian data exporters should only make sure that importers are certified and active under the DPF, while checking that they comply fully with the framework. Nevertheless, it is worth monitoring closely whether the Commissioner will react to the adoption of the DPF.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.