EU–US Data Privacy Framework

The EU–US Data Privacy Framework is a European Union–United States data transfer framework that was agreed to in 2022^[1][2] and declared adequate by the European Commission in 2023.^[3] Previous such regimes—the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015)—were declared invalid by the European Court of Justice in part due to concerns that personal data leaving EU borders is subject to sweeping US government surveillance. The EU-US Data Privacy Framework is intended to address these concerns.^[4][5][6]

After the invalidation of the EU–US Privacy Shield in July 2020, companies wishing to transfer data between the EU and the US "have faced confusion, higher compliance costs, and challenges for EU–US business relationships".^[6]

The EU parliament raised substantial doubts that the new agreement reached by Ursula von der Leyen is actually conform with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and severely fails to enforce basic human digital rights in the EU.^[7] In May 2023 a resolution on this matter passed the EU parliament with 306 votes in favor and only 27 against, but so far has stayed without consequences.^[8] The NGO NOYB (European Center for Digital Rights) has announced that it will once again try to set the Framework out of force in front of the European Court of Justice.^[9]

History

On March 25, 2022, it was announced that the European Commission and the United States had committed to a "Trans-Atlantic Data Privacy Framework" in reaction to the failure of the EU-US Privacy Shield.^[1][10]

In October 2022, U.S. President Joe Biden signed an executive order to implement the framework.^[4]

In May of 2023, the European Data Protection Board approved the Commission's adequacy decision draft that was published on December 13, 2022.^[11]

Although not binding on the European Commission, on 11 May 2023 the European Parliament voted in favour of a resolution calling on the Commission to renegotiate the Framework^[12] and not to adopt an adequacy finding on the basis that "the EU–U.S. Data Privacy Framework fails to create essential equivalence in the level of protection".^[13]

On July 10 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, thereby allowing transfer of personal data from the EU to the U.S. on the basis of Article 45 of the GDPR.^[3]

Data Protection Review Court

The Data Protection Review Court (DPRC) is a three-judge panel, established in Executive Order 14086 of 7 October 2022, which will deal with appeals made to the decisions of the Civil Liberties Protection Officer of the Office of the Director of National Intelligence as described by the EU-U.S. Privacy Framework.^[14] The decisions made by the DPRC have binding authority.^[15][16]

There has been criticism. ^[17]

See also

• Law portal

• Data Protection Directive
• Digital privacy
• General Data Protection Regulation
• Safe harbor (law)
• US Privacy and Civil Liberties Oversight Board (PCLOB)

References

1. McCabe, David; Stevis-Gridneff, Matina (25 March 2022). "U.S. and European leaders reach deal on trans-Atlantic data privacy". The New York Times. Retrieved 28 March 2022.
2. "Biden Executive Order Supports New EU-U.S. Data Privacy Framework for Trans-Atlantic Transfers of Data". The National Law Review. Retrieved 2022-11-01.
3. "Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows". European Commission - European Commission. 10 July 2023. Retrieved 2024-03-05.
4. Shepardson, David; Blenkinsop, Philip (8 October 2022). "Biden signs order to implement EU-U.S. data privacy framework". Reuters. Retrieved 2022-11-01.
5. "US expected to publish Privacy Shield executive order next week". Politico. 27 September 2022. Retrieved 2022-11-01.
6. "Legal Questions Loom Over Latest Trans-Atlantic Data Flows Deal". news.bloomberglaw.com. Retrieved 2022-11-01.
7. "Texts adopted - Adequacy of the protection afforded by the EU-U.S. Data Privacy Framework - Thursday, 11 May 2023". www.europarl.europa.eu. Retrieved 2024-05-30.
8. "Procedure File: 2023/2501(RSP) | Legislative Observatory | European Parliament". oeil.secure.europarl.europa.eu. Retrieved 2024-05-30.
9. "European Commission gives EU-US data transfers third round at CJEU". noyb.eu. Retrieved 2024-05-30.
10. "FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework". The White House. 2022-03-25. Retrieved 2024-03-05.
11. "Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU–US Data Privacy Framework". European Data Protection Board. 28 February 2023. Retrieved 2023-03-01.
12. Silver, Andrew (2023-05-12). "Parliament calls on Commission not to adopt EU-US data deal". Research Professional News. Retrieved 2023-08-14.
13. "Texts adopted – Adequacy of the protection afforded by the EU-U.S. Data Privacy Framework". European Parliament. 11 May 2023. Retrieved 2023-06-16.
14. Biden, Joe (7 October 2022). "Executive Order 14086 Enhancing Safeguards for United States Signals Intelligence Activities". Federal Register. Retrieved 2024-03-11.
15. 28 C.F.R. §201.9(g)
16. "Press corner". European Commission - European Commission. Retrieved 2023-01-30.
17. Mike Masnick. "We Shouldn't Allow A New Super Secret Surveillance Court Cover Up The Civil Liberties Problems Of The Old Super Secret Surveillance Court". Archived from the original on 2024-02-02. Retrieved 2024-02-02.

External links

• EU-US data transfers webpage of the European Commission
• Data Privacy Framework List website of the US International Trade Administration
• Commission Implementing Decision EU 2023/1795 of the European Commission on EUR-Lex
• 28 CFR Part 201 (Data Protection Review Court) of the US Code of Federal Regulations from the LII
• 28 CFR Part 201 (Data Protection Review Court) of the US Code of Federal Regulations from the OFR