Spelling an end to Schrems II? The new Data Privacy Framework and its implications

In an increasingly digitalised world where data is transmitted to other countries, it is essential that personal data is protected. This is especially true when it comes to the cross-border transfer of health data, since this information requires a particularly high level of protection and is subject to different data protection laws and practices depending on the country. For example, the General Data Protection Regulation (GDPR) imposes stricter standards in terms of the protection of personal data (which also includes health data) in the EU than other countries do. A key step taken recently to ensure these standards are upheld is the EU-US Data Privacy Framework, which was adopted by the EU Commission in July on the basis of an adequacy decision made with respect to the US.

In this blog post, I explain what impact the Data Privacy Framework has on the transfer of health data between the EU and the US and what effects this has on how digital health apps are run.

Legal rulings on and regulations governing the exchange of data between the EU and the US over the years

The Safe Harbour Agreement was concluded between the European Union and the United States in 2000, and was intended to provide a legal basis for the international transfer of the personal data of EU citizens to the US. This agreement was made necessary due to the EU’s strict data protection standards. The aim was to enable companies to transfer personal data to countries outside the EU as long as they ensured an adequate level of data protection.

A key milestone is the Schrems I ruling in 2015. The ruling was brought about by a lawsuit filed by Austrian lawyer Max Schrems against Facebook. He launched the suit before the Court of Justice of the European Union (CJEU) over concerns he had about the transfer of his personal data from the EU to the US, which meant his data was not adequately protected. The CJEU ruled in favour of Max Schrems in October 2015, thus declaring the Safe Harbour Agreement that was then in force null and void. This decision had far-reaching implications on international data transfers and led to the establishment of new legal mechanisms to ensure the protection of personal data in cross-border transfers.

To establish a new legal framework for the transfer of personal data between the EU and the US, the EU-US Privacy Shield went into effect in 2016. The agreement sought to define the legal framework for protecting personal data through specific data protection principles governing the transfer of personal data from the EU to the US. The principles include transparency, data security and limits on data collection.

In the lead-up to the Schrems II ruling from 2020, the Austrian data protection activist Max Schrems filed another lawsuit to block the transfer of data from the EU to the US. The suit focused on the question of whether the data protection standards in the US are sufficient to allow for the transfer of personal data of EU citizens to the US. Reference was made to standard contractual clauses and data transfer to third countries in general during the trial. Schrems criticised the far-reaching authority of US authorities to access personal data. The CJEU ruled in favour of Schrems, leading to companies being required to review their data transfer practices and ensure they comply with EU data protection standards. On the back of the Schrems II decision, the 2020 EU-US Privacy Shield was also declared null and void as it failed to safeguard privacy and protect data protection rights.

The most recent (and currently applicable) adequacy decision was adopted on 10 July 2023. The Data Privacy Framework puts an end to a three-year period of uncertainty since the Schrems II ruling was handed down. It requires that the companies who are the recipient of data make a formal pledge to the US Department of Commerce to comply with the EU-US data protection principles. By doing so, they are classified as a secure data recipient. The companies certified under this framework are no longer subject to additional safeguards to ensure personal data is protected. You can view the public list of the Data Privacy Framework programme by clicking the following link: https://www.dataprivacyframework.gov/s/. As you will see there, large cloud providers like Google, Salesforce and Amazon have already signed up to the programme. In addition, access by US intelligence service to electronic communications, for example, must be limited to an absolute bare minimum in order to curb the basic surveillance methods employed by the American government.

What are the implications of the new EU-US Data Privacy Framework for digital health apps?

What are the implications of the new Data Privacy Framework with regards to the transfer of personal between the EU and the US for digital health apps? How should we view the new Data Privacy Framework?

Before the current Data Privacy Framework was adopted, companies had to prove, in the absence of an adequacy decision, that personal data was afforded the same level of protection as would be the case in the EU in the event that it is to be transferred the US. This requirement applies to companies that process their data in the US themselves or have it processed by an IT service provider or subcontractor of the IT service provider. Most software service providers, including the likes of Amazon, Microsoft and Oracle, are based in the US, which means that personal data is very likely to be transferred to the US. Because the EU-US Privacy Shield was rendered null and void and no equivalent level of protection had been established, data could no longer be transferred to the US. This caused uncertainty for many companies, especially when it came to health data. One example is the velibra health app, which assists patients suffering from anxiety disorders. velibra processed personal data in the US, even though this had already been banned under the CJEU ruling.

However, with the adoption of the EU-US Data Privacy Framework, personal data, including health data, can once again be transferred from the EU to the US as of 10 July 2023. In conjunction with Section 4(2) of the Digital Health Applications Ordinance (DiGAV), this opens up the possibility for digital health apps to process social data in the US. The law states that the processing of personal data outside the EU on the basis of standard clauses (Article 46 GDPR) and binding internal data protection rules (Article 47 GDPR) is not permitted. However, the ruling means that there are once again no restrictions on the ability of digital health apps to process data in the US. Regarding a similar law pertaining to the processing of social data in Germany (Section 80 of Book X of the German Social Code (SGB)), the possibility of processing data in the US will be available starting on 10 July 2023.

Outlook for the EU-US Data Privacy Framework (DPF)

It is important to note that there is a new legal framework for the transfer of data from the EU to the US. However, the legal framework has already come under criticism by NOYB – European Centre for Digital Rights and Mr Schrems because no substantive changes have been made to US surveillance laws and because intelligence agencies still retain the right to access personal data. In summary, a window has now opened during which companies are able to avail themselves of the services offered by US providers with less effort and legal uncertainty thanks to the DPF, pending a new ruling by the CJEU. As a result, companies and digital health app providers in particular should be able to cope with the uncertainty relating to data processing in the US for the time being, though they should not become too comfortable with the long-term situation.

You can find more exciting topics from the adesso world in our blog articles published so far.