2024-2025 Global AI Trends Guide
On 24 April 2024, the European Data Protection Board ("EDPB") released a set of guidance documents and template complaint forms to facilitate the implementation of the redress mechanisms corresponding to the EU-U.S. Data Privacy Framework ("DPF") and transatlantic data transfers. These resources aim to empower EU citizens to exercise their rights with regard to EU-U.S. data transfers. This article provides an overview of the new resources and its relevance for companies.
In its adequacy decision, the European Commission specifically addressed the shortcomings identified by the Court of Justice of the European Union (“CJEU”) related to the legal redress options for EU individuals in case of EU-U.S. data transfers that existed under the invalidated Privacy Shield framework. EU individuals’ ability to seek redress under the DPF related for commercial complaints—i.e., when alleging that a violation of the DPF has occurred—remains similar to the Privacy Shield’s multi-pronged complaint procedure. However, the new redress mechanism established under Executive Order 14086 (“EO 14086”) for complaints related to U.S. intelligence agencies’ access to EU personal data is a key update. This redress mechanism only applies to data transmitted after 10 July 2023.
The EDPB’s newly released guidance documents and template complaint forms address both commercial complaints under the DPF and complaints related to U.S. intelligence agencies’ access to EU personal data that has been transferred to the U.S.
EU individuals have two key redress options in case of EU-U.S. data transfers:
For commercial complaints related to processing of personal data under the DPF, individuals can issue complaints directly to the relevant DPF-certified company, through a free independent recourse mechanism, or by submitting complaints to their local EU data protection authority or directly to a relevant U.S. enforcement authority (the U.S. Federal Trade Commission or the U.S. Department of Transportation). EU individuals may also invoke binding arbitration with DPF-certified companies in circumstances where their complaints are not sufficiently addressed through other mechanisms for commercial complaints. The DPF’s redress mechanisms for commercial complaints are summarized here.
With regard to complaints related to collection and use of EU personal data by U.S. intelligence authorities for national security purposes, EU individuals are provided with a two-layer redress mechanism required under EO 14086, starting with a qualifying complaint sent by individuals through an EU DPA (which will check its completeness and verify the individual’s identity) to the Civil Liberties Protection Officer (“CLPO”) at the Director of National Intelligence, with an option to appeal the CLPO’s decision within 60 days at a newly established Data Protection Review Court (“DPRC”).
Third, with regard to the processing of personal data for law enforcement purposes by competent U.S. authorities, individuals may be able to seek redress under applicable U.S. laws.
To facilitate the use of the redress mechanisms, the EDPB published the resources below:
With regard to the collection and use of personal data by U.S. intelligence authorities for national security purposes:
An information note on the redress mechanism for EU/EEA individuals in relation to alleged violations of U.S. law with respect to their data collected by U.S authorities competent for national security. [link]
A template complaint form that individuals can use to file a complaint at the CLPO: [link]
Rules of procedure on the redress mechanism for national security purposes. [link]
It is important to note that, while the redress mechanism for commercial complaints is relevant only to transfers of EU personal data under the DPF, the redress two-layer redress mechanism related to the practices of U.S. intelligence authorities for national security purposes apply irrespective of whether an organization is certified under the DPF. This means the redress options are also relevant where a data transfers is based on other transfer mechanisms, such as the EU standard contractual clauses (“SCC”) or Binding Corporate Rules (“BCR”), and can be taken into account by companies when performing a Transfer Impact Assessment (“TIA”), as confirmed by the EDPB in its 18 July 2023 information note (“the EDPB underlines that all the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transferred to the US, regardless of the transfer tool used”).
With regard to redress of commercial complaints against a DPF-certified company, the EDPB published:
A DPF template complaint form for submitting commercial related complaints to EU DPAs: [link], and
Rules of procedure of the "Informal Panel of EU DPAs" according to the DPF: [link].
Note that the DPF template complaint form can be used by any EU individual seeking to file a complaint with enforcement authorities for commercial complaints (the EU DPA receiving the complaint will submit the complaint to the appropriate U.S. enforcement authority, or to the Information Panel of EU DPAs, whichever is relevant). The rules of procedure of the Informal Panel of EU DPAs are relevant only if the DPF-certified company about whom the complaint is made has selected the Panel as its independent recourse mechanism or if the complaint relates to HR data (in which case compliance with the Panel is mandatory).
The EDPB’s new materials make it easier for EU individuals to access the DPF and EO 14086 redress options where they suspect an unlawful handling of their personal data by data recipients in the U.S. or U.S. intelligence agencies. The new materials could therefore potentially lead to an increase in the number of complaints and redress proceedings.
U.S. companies that are certified under the DPF must be able to process complaints from EU individuals regarding their data processing practices, and should review the EDPB’s template complaint form as well as the rules of procedure of the "Informal Panel of EU DPAs" to fine-tune their internal complaint handling procedures. These documents provide insights into the scope and details of commercial complaints that may be submitted by EU individuals to enforcement authorities.
Authored by Henrik Hanssen, Julie Schwartz, Julian Flamant, and Theresa Mengler.