US companies, having business in the European Union countries, must comply with Europe's privacy laws like GDPR. In many cases, US companies collect the personal data of European residents and transfer the data to the US for data processing. However, the rules regarding the processing of personal data and the privacy of EU users and US users have some differences.
The EU – US Privacy Shield Framework was created to enable US companies to receive the personal data of European users without violating EU privacy laws. The EU–US Privacy Shield went into effect on 12 July 2016 after it was approved by the European Commission.
However, the European Court of Justice announced that the EU – US Privacy Shield became invalid on 16 July 2020. The EU – US Privacy Shield framework being no longer valid, there were no clear regulations about how to comply with EU data protection requirements when transferring personal data from the EU to the US.
The EU – US Data Privacy Framework
On March 2022, a new framework for transatlantic data transfers and storage has been agreed upon in principle by EU and US leaders. It is called the EU-US Data Privacy Framework (DPF).
The draft was signed by US president Biden on 7 October. Biden’s executive order was followed by a series of regulations issued by US attorney general Merrick Garland.
On 13 December, the European Commission initiated the process of the adoption of an adequacy decision for the Data Privacy Framework.
The draft decision concluded that the US ensures an adequate level of protection for the personal data of European users transferred to US companies, outlining the steps the US will take to implement its commitments under the DPF. The DPF draft decision has now been published and transmitted to the European Data Protection Board. This action is a required procedure for the formal adoption of the law. When the DPF is signed, personal data could flow freely from the EU (plus Norway, Liechtenstein, and Iceland) to the US.
Data Privacy Framework privacy obligations
Most importantly, the Data Privacy Framework provides for a number of limitations and safeguards regarding access to data by US public authorities for criminal law enforcement and national security purposes. Previously, US intelligence agencies could access EU residents' data for the above-mentioned purposes.
According to the current legal framework, there are the following new limitations:
- Access to personal data of European residents by US public authorities will be limited to what is necessary and proportionate to protect national security;
- Data Protection Review Court was created as an independent and impartial compensation mechanism. EU residents will have the possibility to receive compensation regarding the collection and processing of their data by US intelligence agencies. The Court will investigate and resolve complaints from European residents, including compensation measures.
US companies could join the new EU – US Data Privacy Framework by committing to comply with a detailed set of privacy obligations. This includes deletion of personal data when it is no longer necessary, the rectification of data or providing access to the data if asked, ensuring personal data protection when the data is shared with third parties, independent supervision, etc.
EU residents will benefit from a compensation mechanism if the processing of their personal data violates the Framework. The compensation mechanism and an arbitration panel will be free of charge.
Read more about the Adequacy decision for the EU – US Data Privacy Framework.
The draft decision will now go through its adoption procedure. The European Commission submitted it to the European Data Protection Board. Afterwards, the European Commission will need approval from a committee composed of the EU Member States' representatives. Meanwhile, the European Parliament has a right to scrutiny the draft decision.
Once this approval procedure is finished, the European Commission will proceed to adopt the final adequacy decision of the DPF.
After the EU – US Data Privacy Framework is implemented, it will be subject to periodic reviews, which will be carried out by the European Commission together with European data protection authorities and the designated US authorities. The first review will take place within one year after the entry into force of the Data Privacy Framework. This review is supposed to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning properly in practice.
Once the DPF is implemented, European businesses could transfer personal data to the US companies of interest freely, without requirements for additional data protection safeguards.
Frequently Asked Questions
What is the EU – US Privacy Shield Framework?
The EU – US Privacy Shield was a legal framework for regulating personal data transfer between the EU and the US to comply with data protection requirements, which went into effect on 12 July 2016 and was invalidated on 16 July 2020. The new EU – US Data Privacy Framework is supposed to replace it in 2023. Follow up CookieScript privacy laws to be informed of the latest privacy regulations.
What is the EU – US Data Privacy Framework?
What are the next steps in the process of the adoption of the EU – US Privacy Shield Framework?
Which data privacy framework has been proposed by the EU?