The EU-US Data Privacy Framework: A New Era for Transatlantic Data Transfers
The EU-US DPF replaces the previous Privacy Shield framework, which was invalidated in 2020. It provides businesses with a way to transfer personal data from the EU to the US in compliance with EU law
In a recent development, a French Member of Parliament (MP) has stirred headlines [1] by contesting the latest transatlantic agreement that permits companies to freely move data between the European Union (EU) and the United States. This challenge comes as a surprise, especially after expectations that the new framework would resolve all the EU's concerns following the invalidation of Privacy Shield, putting an end to a two-year-long uncertainty. Or may be it was not a surprise since many experts had expressed reservations. Max Schrems had said he would likely challenge [2] the new deal in court after Biden’s Executive order [3] was published.
What is DPF?
Details of the DPF are in Biden’s Executive Order last year [3]. Following is a summary of the EO.
The European Union and the United States have agreed to a new data privacy framework that will allow for the free flow of data between the two regions. The framework, known as the EU-US Data Privacy Framework (EU-US DPF), replaces the previous Privacy Shield framework, which was invalidated by the European Court of Justice (CJEU) in 2020.
The EU-US DPF is a significant development for businesses and consumers on both sides of the Atlantic. It provides a clear and predictable path for businesses to transfer personal data from the EU to the US, and it gives EU citizens more control over their data.
The EU-US DPF is based on four key principles:
Stronger safeguards for personal data: The framework includes new safeguards to protect personal data transferred from the EU to the US, including limits on US government access to data and a new redress mechanism for EU citizens.
Transparency and accountability: Companies that participate in the framework will be subject to strict transparency and accountability requirements. They will be required to disclose how they collect, use, and share personal data, and they will be subject to audits by independent third parties.
Individual control: EU citizens will have more control over their data under the framework. They will have the right to access, correct, and delete their data, and they will have the right to opt out of having their data used for targeted advertising.
Enforcement: The framework includes a strong enforcement mechanism to ensure that companies comply with its requirements. The US Department of Commerce will be responsible for enforcing the framework, and the EU Commission will have the power to suspend or terminate the framework if it finds that the US is not complying with its terms.
References
[1] https://www.politico.eu/article/french-lawmaker-challenges-transatlantic-data-deal-before-eu-court/
[2] https://www.politico.eu/article/eu-signs-off-on-data-transfers-deal-with-us/