Angle
New EU-US Data Transfer Framework Finalized: What Does the Future Hold?
- Regulatory & Compliance
- 4 Mins
With data privacy landscapes changing around the globe, how can organizations handle cross-border deals while still remaining compliant? This has been a burning question over recent years.
It is common for organizations to have a global presence or conduct activities in several countries. The need to set up data transfers involving areas subject to strict regulation, such as the EU’s General Data Protection Regulation (GDPR), has created obstacles. An updated framework for data transfers between the U.S. and EU was recently finalized. Affected organizations must understand how this change materialized, new requirements imposed by the framework, and what analysts predict for the future of EU-U.S. data transfers.
The History
For almost 25 years, the EU and U.S. had some type of agreement in place to expedite data transfers while maintaining adequate protections. When the GDPR drastically changed the EU’s privacy landscape, significant revisions to the data transfer process were necessary. Take a look at the timeline:.
- In 2000, the EU-U.S. Safe Harbor Framework was established to allow cross-border transfers. It was deemed invalid in October 2015.
- In July 2016, the new Privacy Shield framework became effective.
- In July 2020, the landmark Schrems II decision came down and invalidated the Privacy Shield framework due to diminished privacy protections violating the GDPR and apprehension over U.S. surveillance during transfer activities. The EU proclaimed it did not recognize the U.S. as having adequate data privacy safeguards in place.
- In June 2021, the European Commission created new standard contractual clauses (SCCs) that enhanced accountability and transparency. The SCCs apply to personal data transfers from EU member states to other countries and ensured cross-border activity aligned with GDPR standards.
- With the Privacy Shield gone, organizations have turned to the new SCCs to carry out EU and U.S. data transfers. This is a more complex and unpredictable mechanism that requires time-consuming data transfer impact assessments.
- In March 2022, the EU and U.S. reached an agreement in principle to implement another mechanism for transfers that would streamline the process, allow for self-certification, and enhance privacy protections.
- In October 2022, President Biden signed an executive order outlining the steps to officially implement the new framework, once again mentioning self-certification and increased oversight over data transfers.
- On July 10, 2023, the European Commission finalized the adequacy decision under the new EU-U.S. Data Privacy Framework, claiming that the provisions applying to U.S. surveillance and consumer redress were satisfactory.
The New Framework
The U.S. Department of Commerce will run the new EU-U.S. Data Privacy Framework program. It is not mandatory, and organizations can choose to use other mechanisms like the SCCs to effectuate transfers instead, but this framework will streamline the process. Here are the key features:
- Organizations must publicly declare they will comply with the proscribed privacy obligations during transfers. This includes data minimization, data sharing limits, and more. Doing so provides the Federal Trade Commission jurisdiction over enforcement, if necessary.
- Organizations must provide GDPR-like protections to individuals so information can flow without advancing extra security measures.
- To address surveillance concerns, there are now limits on when certain agencies can access information coming from the EU, increased oversight, and establishment of an independent redress process.
- Individuals can file complaints with their own domestic data protection authority to address suspected information mishandling. After that, there will be additional layers in place to transmit complaints to the U.S. for investigation, review, and resolution before a new Data Protection Review Court. This redress process will also be available for transfers occurring outside of the new framework, including the SCC method.
- The EU will provide ongoing review of the program to ensure it maintains adequacy status.
With this, organizations can now take steps to self-certify under the new framework. While many have been waiting in limbo, some have chosen to maintain certifications under the invalidated Privacy Shield even though not in use.
Forecasting the Future
With this being the third attempt to implement a streamlined data transfer mechanism, there are two questions on everyone’s minds. Will it stick this time? And if the new framework is struck down, what will be enough? Analysts are torn and opinions are all over the board.
The leader of the Schrems case has already proclaimed that he does not think this framework is valid and intends to bring a court challenge. The European Parliament and other data protection authorities have concurred. Skeptics believe there is a need for legislative action by Congress to change U.S. surveillance law to provide added protections.
On the other side, the European Commission President recognized that the new framework contains unprecedented commitments that will facilitate safe and secure transfers. But will this ring true? Only time will tell.
In the meantime, some analysts are urging organizations to take advantage of the framework to alleviate the burden carried over the past three years. Others are advising that they be more cautious, consider new compliance obligations, and perform risk analysis before moving forward.
Regardless of the path chosen, keeping track of new developments should be top of list. A court challenge will likely take years to play out and with the industry split on this issue, there is uncertainty how the ruling will unfold. In the meantime, how U.S. organizations put forth compliance efforts and forthcoming decisions from the new Data Protection Review Court will shine more light on the fate of the latest EU-U.S. Data Privacy Framework.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.