The EU-US Data Privacy Framework: A New Era of Transatlantic Data Protection
Josef Bergt
2023
Introduction
In a significant development that marks a new era in transatlantic data protection, the European Commission has adopted an adequacy decision for the EU-US Data Privacy Framework. This decision underscores the commitment of both the European Union and the United States to ensure the safe and trusted flow of personal data across the Atlantic. The new framework introduces binding safeguards that address prior concerns raised by the European Court of Justice, thereby providing a robust mechanism for data protection that aligns with the principles of necessity and proportionality.
The EU-US Data Privacy Framework: An Overview
The EU-US Data Privacy Framework is a comprehensive mechanism designed to ensure an adequate level of protection for personal data transferred from the EU to US companies. The decision to adopt this framework is based on the conclusion that the United States ensures a level of protection comparable to that of the European Union. This means that personal data can flow safely from the EU to US companies participating in the Framework, without the need for additional data protection safeguards.
The Framework introduces new binding safeguards that address all the concerns raised by the European Court of Justice. These include limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC) in the US, to which EU individuals will have access to. If the DPRC finds that data was collected in violation of the new safeguards, it will have the authority to order the deletion of the data.
Key Improvements and Safeguards
The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For instance, US companies will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations. These include the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
EU individuals will benefit from several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel. In addition, the US legal framework provides for a number of safeguards regarding the access to data transferred under the framework by US public authorities, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.
The Role of the Data Protection Review Court
A key element of the new framework is the establishment of the Data Protection Review Court (DPRC). This independent and impartial body will have the power to investigate and resolve complaints from Europeans, including by adopting binding remedial measures. The DPRC will play a crucial role in ensuring that the new safeguards in the area of government access to data are effectively implemented and enforced.
The Impact on Transatlantic Data Flows
The adoption of the EU-US Data Privacy Framework is expected to have a significant impact on transatlantic data flows. The safeguards put in place by the US will facilitate these data flows more generally, as they also apply when data is transferred using other tools, such as standard contractual clauses and binding corporate rules.
Periodic Reviews and Future Steps
The functioning of the EU-US Data Privacy Framework will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities. The first review will take place within a year of the entry into force of the adequacy decision, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.
Conclusion
The adoption of the EU-US Data Privacy Framework is a significant step forward in ensuring the safe and trusted flow of personal data across the Atlantic. It provides a robust mechanism for data protection that aligns with the principles of necessity and proportionality, and introduces new binding safeguards that address the concerns raised by the European Court of Justice. The new framework is expected to bring legal certainty to companies on both sides of the Atlantic and ensure safe data flows for Europeans.
Executive Summary:
- The European Commission has adopted an adequacy decision for the EU-US Data Privacy Framework, marking a new era in transatlantic data protection.
- The Framework ensures an adequate level of protection for personal data transferred from the EU to US companies, without the need for additional data protection safeguards.
- The Framework introduces new binding safeguards that address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate.
- The Data Protection Review Court (DPRC), an independent and impartial body, will have the power to investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
- The safeguards put in place by the US will facilitate transatlantic data flows more generally, as they also apply when data is transferred using other tools, such as standard contractual clauses and binding corporate rules.
- The functioning of the EU-US Data Privacy Framework will be subject to periodic reviews, to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.