What Is the New EU-US Data Privacy Framework?

The enactment of the EU-US Data Privacy Framework (DPF) on July 10, 2023, represents a significant shift in transatlantic data transfers. The adequacy decision by the European Commission recognizes the United States as offering an “essentially equivalent” level of protection for personal data, as required by the General Data Protection Regulation (GDPR). This new framework replaces the invalidated EU-US Privacy Shield, aligning with requirements set forth in Schrems II (CJEU, 2020).

Key findings indicate:

• Certification and Compliance:
  Eligible US companies may self-certify their adherence to the DPF Principles via the US Department of Commerce portal. Certification requires annual re-commitment and public declaration of compliance, increasing transparency and accountability (European Commission, 2023).

• Automatic Transfer:
  Organizations previously certified under the EU-US Privacy Shield are automatically incorporated into the DPF program, mitigating transitional compliance risks.

• Redress Mechanisms:
  The framework introduces an independent Data Protection Review Court (DPRC), enabling EU individuals to seek redress for alleged mishandling of their data by US authorities. This addresses prior CJEU concerns about lack of judicial remedies (Schrems II, 2020).

• US Government Access:
  Executive Order 14086 establishes legally binding safeguards limiting US intelligence agencies’ access to EU personal data. These safeguards are designed to be “necessary and proportionate,” aligning with GDPR standards (White House, 2022).

• Ongoing Monitoring:
  The European Commission, in conjunction with EU Data Protection Authorities, will conduct periodic reviews of the DPF to assess its effectiveness and compliance.

Notable outcomes:

• Increased legal certainty for businesses engaging in transatlantic data flows.
• Enhanced protection for EU citizens’ personal data.
• Restored trust in US-EU digital trade relationships.

However, data privacy advocacy groups remain skeptical. They argue that fundamental surveillance reforms in the US are still lacking, and further legal challenges are expected. The practical efficacy of the DPRC and the proportionality of US surveillance will likely determine the framework’s long-term viability.

References

• European Commission. (2023). Press release: EU-US Data Privacy Framework adopted. Link
• White House. (2022). Executive Order 14086. Link