The EU-U.S. Data Privacy Framework: Did Transferring Personal Data from the EU to the U.S. Just Get Easier?
Businesses and organizations that (regularly) transfer personal data from the EU to the U.S. should carefully assess, on a case-by-case basis, whether it makes sense to rely on the new EU-U.S. Data Privacy Framework or to use one of the other data transfer tools that are available under the GDPR.
September 14, 2023 at 10:28 AM
8 minute read
Privacy
On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (DPF) by adopting an "adequacy decision." Adequacy decisions are one of the legal mechanisms under the EU's General Data Protection Regulation (GDPR) for transferring personal data from the EU to third countries which, in the eyes of the European Commission, offer sufficient privacy and data protection. The DPF adequacy decision recognizes that, although the United States has a different approach to data protection than the EU, personal data transferred to the U.S. under the DPF is considered to be adequately protected in line with the GDPR's rules on international data transfers. The European Commission takes the position that personal data can flow freely and safely from the EU to U.S. companies that are participating in the new Framework.
Transfers of personal data from the EU to the U.S. have generated much controversy over the past few years. In 2020, the Court of Justice of the EU invalidated the DPF's predecessor, the EU-U.S. Privacy Shield, following a complaint by Austrian privacy activist Maximilian Schrems and his nonprofit organization NOYB — European Center for Digital Rights (known as the Schrems II case). In the Schrems II case, questions were raised about how personal data of EU users of social network Facebook was available to U.S. authorities (e.g., the National Security Agency) in a manner that was considered incompatible with the EU Charter of Fundamental Rights. The Court of Justice was particularly concerned that U.S. intelligence agencies could access personal data from EU individuals beyond what is necessary and proportionate and that there was no independent and impartial redress mechanism to handle complaints from EU individuals.
In the wake of the Schrems II case, the European Commission and the U.S. government engaged in intense negotiations to set up a new and enhanced EU-U.S. data transfer structure — the DPF — that addresses the concerns of the Court of Justice. In support of this initiative, U.S. President Joe Biden signed an Executive Order that aims to provide additional protections for EU individuals whose personal data is transferred to the U.S., including:
|- Data access limitations imposed on the U.S. intelligence community to ensure that they only access what is necessary and proportionate to protect national security.
- Enhanced oversight of the surveillance activities that U.S. intelligence agencies are involved in.
- The creation of a new, two-layered redress mechanism for handling and resolving complaints from EU individuals with concerns about the (potential) collection and use of their personal data by the U.S. intelligence community. The new mechanism features a low entry threshold: EU individuals will be able to submit complaints to their local data protection authority in their own language. The data protection authority will subsequently transmit the complaints to the United States (via the European Data Protection Board).
Following a lengthy assessment, the European Commission ultimately found that the additional data access limitations, safeguards and redress possibilities that the United States has committed to implement in the context of the new Framework suffice to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the DPF.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Companies' Dirty Little Secret: Those Privacy Opt-Out Requests Usually Aren't Honored
'Innovation Over Regulation': Tech Litigators and Experts Share Insights on the Future of AI, Data Privacy and Cybersecurity Under Trump
Old Laws, New Tricks: Lawyers Using Patchwork of Creative Legal Theories to Target New Tech
Law Firms Mentioned
Trending Stories
- 1How I Made Partner: 'Develop a Practice Area You Really Care About ,' Says Jennifer Gniady of Stradley Ronon
- 2Indian Billionaire Gautam Adani Indicted in Brooklyn for Alleged Orchestration of $250 Million Bribery Plot
- 3St. Ivo: Patron Saint of Lawyers
- 4Eagle Pharma Founder Sues Company to Recoup Cost of SEC Investigation
- 5GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
