The New EU-US Data Privacy Framework: What Legal Professionals Need to Know

DCU Law and Tech regularly publishes blog posts discussing the topics Law and Technology written by a variety of authors.

Montserrat Guzmán
Lawyer, EMILDAI Student

On July 10th, 2023, the European Union (EU) Commission announced a significant decision related to the United States that allows for transferring personal data between the EU and the US. This decision confirmed that the US ensure an adequate level of protection for personal data transferred from the EU to organisations in the US that are included in the Data Privacy Framework List maintained by the US Department of Commerce. The new adequacy decision is called the Data Protection Framework (DPF), and it replaces the invalidated Privacy Shield Framework, introduced in 2016 to protect personal data transfers between the EU and the US.

The DPF protects personal data transferred between the EU and the US. The DPF contains several vital elements to ensure that personal data is adequately protected, including solid obligations on companies handling personal data, robust enforcement mechanisms, clear limitations on US government access to personal data, and recourse mechanisms for EU citizens to seek redress in the US if their data is mishandled. These elements provide a framework for the ongoing cooperation between the EU and the US to ensure personal data protection.

From the Safe Harbour to the Data Protection Framework

The Safe Harbor Agreement was a framework that allowed for transferring personal data between the EU and the US. However, in 2015, in a landmark case known as Schrems I, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor Agreement due to concerns about US surveillance practices and the lack of adequate protection for personal data.

In response to Schrems I, the Privacy Shield Framework was introduced in 2016 to provide adequate protection for personal data transfers between the EU and the US. However, in July 2020, in another landmark case known as Schrems II, the CJEU invalidated the Privacy Shield Framework. The CJEU found that US surveillance practices, such as the collection of data in bulk, did not provide adequate protection for personal data and violated the fundamental rights of EU citizens.

After the invalidation of the Privacy Shield Framework, the EU and the US negotiated to develop a new framework for transferring personal data. In July 2021, the European Commission adopted an adequacy decision related to the US called the Data Protection Framework (DPF). The DPF contains several vital elements to ensure the protection of personal data transferred between the EU and the US, including clear limitations on US government access to personal data and robust enforcement mechanisms to ensure US companies comply with the DPF.

It is important to note that while the adequacy decision is a positive development for transatlantic data transfers, it does not mean that the EU Commission endorses all US data protection practices. The decision is based on an evaluation of the US legal system as a whole, and the EU Commission will continue to monitor the situation to ensure that personal data is adequately protected in the US.

Overall, the Safe Harbor Agreement, Schrems I, Privacy Shield, and Schrems II represent significant developments in protecting personal data transferred between the EU and the US. The DPF replaces the Privacy Shield Framework and provides a framework for ongoing cooperation between the two regions to ensure personal data protection.

What the New EU-US Data Privacy Framework Means for Your Business

The Adequacy Decision has applied since July 10th, 2023, and it means that transfers from the EU to US organisations included in the Data Privacy Framework List may be based on the Adequacy Decision without relying on Article 46 GDPR transfer tools. This also means that transfers based on the Adequacy Decision do not have to be complemented by supplementary measures.

However, transfers to entities in the US that are not included in the Data Privacy Framework List cannot be based on the Adequacy Decision and will require appropriate data protection safeguards, enforceable rights, and effective legal remedies for data subjects under Article 46 GDPR. Furthermore, legal professionals should advise clients to monitor the situation to ensure that personal data is adequately protected in the US and to understand the scope of the decision and the requirements for transferring personal data to the US.

It is also important to note that while the adequacy decision is a positive development for transatlantic data transfers, it does not mean that the EU Commission endorses all US data protection practices. The decision is based on an evaluation of the US legal system as a whole, and the EU Commission will continue to monitor the situation to ensure that personal data is adequately protected in the US.

Conclusion

In conclusion, the Adequacy Decision represents a significant step in protecting personal data transferred between the EU and the US. It ensures an adequate level of protection for personal data transferred from the EU to organisations in the US that are included in the Data Privacy Framework List. However, legal professionals should be aware of the limitations of the decision and advise clients accordingly to ensure that personal data is adequately protected in the US.

Legal professionals should also stay updated on any DPF and US data protection laws changes to ensure their clients remain compliant with relevant regulations. The DPF represents an ongoing commitment to protecting personal data, and it is essential to understand its implications and requirements.

Montserrat Guzmán is a Mexican lawyer with a passion for technology and finance. She specialises in financial law, with experience in AML/CFT, Corporate Law, management, and developing policies, procedures, and controls. Montserrat is currently studying for a European Master in Law, Data and Artificial Intelligence (EMILDAI) and is a blog editor of this EMILDAI blog. She worked as a Legal Intern at Arthur Cox LLP, a Tender Coordinator at ConsortiaCo, and an AML & CFT Supervisor at the National Banking and Securities Commission of Mexico. She is pursuing a European Master in Law, Data and Artificial Intelligence at Dublin City University.

More Blog Posts

Artificial Intelligence and Banking Governance
Valeriana Forlenza
University of Pisa, Italy
On June 14, 2023 the European Parliament adopted its version of the draft Artificial Intelligence Act («AI Act»). While the final…