On July 10, 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. This framework allows personal data to flow freely from the European Economic Area (EEA) to the participating organizations in the US without further conditions or authorizations.
A brief history of the EU-US Data Privacy Framework
The latest privacy framework is the third attempt to establish such an agreement across the Atlantic.
The Safe Harbor Agreement originally established in 2000 was invalidated by the Court of Justice of the European Union (CJEU) in 2015, three years before the EU General Data Protection Regulation (GDPR) came into force.
The Court of Justice argued that the Safe Harbor Agreement allowed the legal transfer of personal data in the absence of a comprehensive adequacy decision for the US.
The Privacy Shield was introduced in 2016 to replace the Safe Harbor Agreement. However, this agreement was also invalidated by the CJEU. In the landmark Schrems II case, the Court raised concerns about rules in the US that allow intelligence agencies to collect data on foreign nationals, against the rights guaranteed in the EU charter.
Since the invalidation of the Privacy Shield in 2020, the EU and US have been working to establish a new working agreement to allow data transfers between them.
What the EU-US Data Privacy Framework means for Europe
The framework ensures that EU citizens’ data privacy is protected in a similar way to that provided by GDPR. It also grants EU citizens’ rights to their data handled by US companies including:
- Right of access to data handled by US companies
- Right of correction or deletion (for incorrect or unlawfully handled data)
- Rights of redress via a formal complaints process that includes the right of appeal
For European businesses, the framework takes some of the due diligence burden associated with personal data transfers to the US. They will be able to engage in data transfers freely with participating US companies.
What the EU-US Data Privacy Framework means for the US
Companies wishing to engage in personal data transfer with EU businesses need to certify their participation in the framework. The US Department of Commerce has created a website to allow US companies to self-certify against the privacy obligations of the framework.
This process also enables US businesses to self-certify to additional requirements of the UK Extension and Swiss-US Principles. However, adequacy decisions from the UK and Switzerland are not yet in place.
The new framework was made possible through an Executive Order on “Enhancing Safeguards for Unites States Signals Intelligence Activities,” signed by President Biden on October 7, 2022. This Order addressed the primary concerns raised by the CJEU against the Privacy Shield agreement.