The EU-US Data Privacy Framework sets out the principles for the secure and trusted transfer of personal data from the European Economic Area to the United States of America. The Framework aims to ensure a level of protection comparable to European data transfers.
As currently drafted, the regulations enable the exchange of personal data that complies with both US privacy regulations, such as the Privacy Act and the Foreign Intelligence Reduction Act (FISA), and EU requirements, especially GDPR (General Data Protection Regulation).
The creation of the Framework is related to the rulings of the Court of Justice of the European Union (CJEU) in the Schrems I and II cases as well as the inadequacy of the data protection provided by the so-called EU-US Privacy Shield. EU authorities considered that the previous counterparts of the Framework did not provide a sufficient level of privacy protection for personal data transferred from the EU to the US. In its current form, it incorporates almost all of the CJEU's suggestions, most notably those concerning:
The main assumptions of the EU-US Data Protection Framework include:
The EU-US data protection framework also limits access to personal data transferred from the EU to the US security services and public authorities. Such access is limited only to situations in which it is necessary and proportionate to protect national security. Any access by the US services and public authorities to personal data from the EU must be justified and lawful.
One of the key elements of the protection against sharing data with security services and public authorities is also to increase transparency in informing individuals of such requests. The US organisations participating in the Framework are required to notify their customers or users when they receive a request from security services or public authorities to share data. Therefore, individuals have the opportunity to defend their rights and take appropriate actions to protect their privacy.
By participating in the Framework, US entities undertake to comply with obligations to protect personal data transferred from the EU. Members of the Framework are also required to apply safeguards to limit access by US security services and public authorities to data transferred from the EU. By participating in the programme, US entities can legally receive personal data from EU companies and process it in accordance with the EU privacy standards. It also allows them to avoid the risk of sanctions and restrictions on data flows that could result from the European Commission's failure to recognise an adequate level of privacy protection.
However, joining the Framework is not just a formality. Participating companies must comply with strict data protection rules and regulatory requirements set by the European Commission. By participating in the Framework, these entities commit to adhere to European standards and undergo regular reviews and audits to confirm compliance with privacy requirements.
US companies' participation in the Framework also demonstrates their commitment to protecting the privacy of their customers' and counterparties' personal information. It also provides confirmation that these entities respect European standards and regulations related to data privacy, which is a key element in building trust and maintaining positive business relationships with European partners.
This decision confirms that the EU-US Data Protection Framework provides an adequate level of protection for personal data transferred from the EEA to the US. According to the EC, this level is comparable to European standards. Data transfers to the US organisations that have joined the Framework, can therefore take place without any additional restrictions. Thus, such companies do not need to obtain special authorisations or use binding corporate rules or standard contractual clauses to process personal data from the EU. It will, in turn, significantly improve the transatlantic transfer of such data. As announced, a list of those US entities participating in the Framework is expected to be published soon by the US Department of Commerce.
Important: for US companies that do not comply with the requirements under the EU-US Data Protection Framework, there is still a need to comply with one of the conditions set out in Articles 46-49 of the GDPR.
Personal Data Protection