Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

The EU-U.S. Data Privacy Framework: Did Transferring Personal Data from the EU to the U.S. Just Get Easier?

By Wim Nauwelaerts
September 01, 2023

On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (DPF) by adopting an "adequacy decision." Adequacy decisions are one of the legal mechanisms under the EU's General Data Protection Regulation (GDPR) for transferring personal data from the EU to third countries which, in the eyes of the European Commission, offer sufficient privacy and data protection. The DPF adequacy decision recognizes that, although the United States has a different approach to data protection than the EU, personal data transferred to the U.S. under the DPF is considered to be adequately protected in line with the GDPR's rules on international data transfers. The European Commission takes the position that personal data can flow freely and safely from the EU to U.S. companies that are participating in the new Framework.

Transfers of personal data from the EU to the U.S. have generated much controversy over the past few years. In 2020, the Court of Justice of the EU invalidated the DPF's predecessor, the EU-U.S. Privacy Shield, following a complaint by Austrian privacy activist Maximilian Schrems and his nonprofit organization NOYB — European Center for Digital Rights (known as the Schrems II case). In the Schrems II case, questions were raised about how personal data of EU users of social network Facebook was available to U.S. authorities (e.g., the National Security Agency) in a manner that was considered incompatible with the EU Charter of Fundamental Rights. The Court of Justice was particularly concerned that U.S. intelligence agencies could access personal data from EU individuals beyond what is necessary and proportionate and that there was no independent and impartial redress mechanism to handle complaints from EU individuals.

In the wake of the Schrems II case, the European Commission and the U.S. government engaged in intense negotiations to set up a new and enhanced EU-U.S. data transfer structure — the DPF — that addresses the concerns of the Court of Justice. In support of this initiative, U.S. President Joe Biden signed an Executive Order that aims to provide additional protections for EU individuals whose personal data is transferred to the U.S., including:

  • Data access limitations imposed on the U.S. intelligence community to ensure that they only access what is necessary and proportionate to protect national security.
  • Enhanced oversight of the surveillance activities that U.S. intelligence agencies are involved in.
  • The creation of a new, two-layered redress mechanism for handling and resolving complaints from EU individuals with concerns about the (potential) collection and use of their personal data by the U.S. intelligence community. The new mechanism features a low entry threshold: EU individuals will be able to submit complaints to their local data protection authority in their own language. The data protection authority will subsequently transmit the complaints to the United States (via the European Data Protection Board).

Following a lengthy assessment, the European Commission ultimately found that the additional data access limitations, safeguards and redress possibilities that the United States has committed to implement in the context of the new Framework suffice to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the DPF.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Legal Possession: What Does It Mean? Image

Possession of real property is a matter of physical fact. Having the right or legal entitlement to possession is not "possession," possession is "the fact of having or holding property in one's power." That power means having physical dominion and control over the property.

The Stranger to the Deed Rule Image

In 1987, a unanimous Court of Appeals reaffirmed the vitality of the "stranger to the deed" rule, which holds that if a grantor executes a deed to a grantee purporting to create an easement in a third party, the easement is invalid. Daniello v. Wagner, decided by the Second Department on November 29th, makes it clear that not all grantors (or their lawyers) have received the Court of Appeals' message, suggesting that the rule needs re-examination.