On 10 July, the European Commission formally adopted the long-awaited new EU-U.S. Data Privacy Framework, which is expected to put an end to three years of legal limbo for organisations and businesses relying on transatlantic data transfers as part of their economic activities. With the new data transfer agreement, the EU grants the U.S. a so-called adequacy decision, issued within the legal framework of the General Data Protection Regulation (GDPR), which means that companies will again be allowed to freely transfer data across the Atlantic. More specifically, the Commission’s adequacy decision serves as an assessment that the U.S. government provides data protection measures to European citizens that is equivalent to the data protection citizens enjoy within the Union. Prior to the Commission’s formal adoption of the decision, the 27 EU Member States demonstrated strong support of the agreement with 24 votes in favour and 3 abstentions. Around the same time, the U.S. government similarly assured the EU that it had fulfilled all of its requirements under the agreement.
As briefly touched upon, the new Data Privacy Framework has been highly anticipated, since the Court of Justice of the European Union (CJEU) in 2020 struck down the previous transatlantic data transfer agreement – the Privacy Shield – following complaints from data privacy activist Max Schrems about invasive U.S. surveillance programmes. Since the CJEU’s Schrems II ruling, data controllers or processors intending to transfer data from the EU to the U.S. have therefore had to rely on standard contractual clauses with guarantees that data subjects would enjoy a level of data protection equivalent to that guaranteed by the GDPR. Now, however, legal certainty appears to have been reestablished and European companies’ data exchanges with their U.S. counterparts can thereby resume.
What’s in the new data transfer agreement?
The new EU-U.S. Data Privacy Framework is based on a certification system, which means that organisations wanting to participate in the framework must commit to a set of privacy principles laid down in the agreement in order to get certified. Moreover, the agreement introduces a number of redress mechanisms, allowing European data subjects to lodge complaints if they consider themselves to be affected by an organisation’s non-compliance. In relation to this, the U.S. has also, as part of the framework, set up a Data Protection Review Court (DPRC), which shall allow European citizens “to bring claims against U.S. agencies if they believe their data was not gathered in a ‘necessary’ and ‘proportionate’ way for national security.”
With a view to the newly adopted agreement, European Commissioner for Justice, Didier Reynders, has stated that this framework is “substantially different” from the previous agreements on the matter, and that this time, the agreement should be able to withstand judicial scrutiny by the CJEU. Nonetheless, privacy activists have already expressed their intention to file lawsuits against the new agreement due to arguments that it still does not provide European citizens with adequate safeguards for their data privacy.
Next steps towards free flows of data
Ecommerce Europe welcomes the adoption of the new EU-U.S. Data Privacy Framework, as it will bring an end to years of legal uncertainty for businesses engaging in data transfers with the U.S., e.g. through the use of American digital services and business solutions. Moreover, we of course also support the strengthening of data protection measures which will contribute to ensuring more trust among European consumers with regard to how their personal data is handled when transferred across the Pond. Finally, while the adoption of the Data Privacy Framework is a key step towards, again, facilitating a free flow of data between the EU and the U.S., we would like to emphasise to our members, and the European digital commerce sector in general, that there is not yet a complete safe-conduct, as interested American organisations will first have to obtain the Data Privacy Framework certification in order to take part in transatlantic data transfers. Only after this certification process will businesses and other organisations be able to, once again, carry out data transfers from the EU to the U.S. There is currently no official timeline for the certification process, but this could likely take a few additional months.
If you have any questions or wish to know more about the topic, please feel free to contact us at info@ecommerce-europe.eu.
