The EU-US Data Privacy Framework is a unilateral act by the European Commission, not an international agreement. It acknowledges the sufficient level of protection for personal data transferred from the EU to US companies that adhere to the new EU-US Data Privacy Framework principles.

This framework is the third attempt after the 2000 Safe Harbour and the 2016 Privacy Shield was deemed invalid by the European Court of Justice. The European Commission emphasizes that the new framework significantly differs from the previous Privacy Shield, especially in two key aspects.

New Binding Safeguards

US President Biden’s Executive Order of October 2022 established new rules regarding the conditions under which US Intelligence Agencies could access personal data transferred from the EU to the US, based on the principles of necessity and proportionality. These principles, repeatedly raised by the jurisprudence of the European Court of Justice when assessing EU laws, are now binding for US Intelligence Agencies. They adapted their internal rules of procedure on July 3, 2023, to implement the Biden Executive Order and its necessity and proportionality principles.

New Redress Mechanism EU-US Data Privacy Framework

Instead of the former figure of the Ombudsman established by the Privacy Shield, a two-layer mechanism has been established. This mechanism allows an individual, whose data has been transferred from the EU to the US, to lodge a complaint before the new Data Protection Review Court. This court has investigative powers and can propose remedies. Although this court could be considered an administrative court within the Executive, its composition of six judges nominated by the US General Attorney ensures a sufficient level of independence.

Roles of the US Department of Commerce & US Federal Trade Commission

The new EU-US Data Privacy Framework only legitimizes the transfer of personal data from the EU to US companies that self-certify as compliant with the principles set by the EU-US Data Privacy Framework. The US Department of Commerce will process applications for self-certification and monitor whether signatory companies continue to comply with EU-US Data Privacy Framework principles. The US Federal Trade Commission is the enforcement authority in case US signatory companies stop complying with their obligations under the EU-US Data Privacy Framework.

Review and Assessment of the Framework

The European Commission will undertake a first review within one year after adopting the EU-US Privacy Framework to monitor relevant developments in the US and verify whether all relevant elements of the US legal framework are functioning effectively in practice. Subsequent periodic reviews will follow, at least every four years.

Other Adequacy Decisions EU-US Data Privacy Framework

After the summer, the European Commission will issue a report on the assessment of existing Adequacy Decisions for Argentina, Uruguay, New Zealand, Japan, Korea, and others. Regarding UK Adequacy Decisions, a sunset clause limits the duration of adequacy to four years. The European Commission is monitoring the debate towards a new UK Data Protection Act to ensure that future rules do not compromise the status of adequacy.

Data Protection for Sustainable Economic Relationships

The new EU-US Data Privacy Framework demonstrates that the EU and US can find balanced solutions on complex issues, within the mandate of the European Court of Justice and the criteria established in the Schrems Ruling. Both Presidents von der Leyen and Biden emphasize the importance of the Adequacy Decision for safe data flows and economic opportunities. There are more data flows between the EU and US than anywhere else in the world, enabling the more than $7 trillion EU-US economic relationship. Increasing data flows with other regions require more and more attention. Therefore, the European Commission should focus now on launching and accelerating the adoption process of Adequacy Decisions for third countries inspired by GDPR.

Like this? "Sharing is caring!"