A brief overview of the EU-US Data Privacy Framework (2023)

Hi network! Today we are going to talk about a very recent matter that occurred in the Privacy and Data Protection scenario, but that directly affects the international commercial logic: the Adequacy Decision between the European Union and the USA for the international transfer of personal data.

This adequacy decision gave birth to the new EU-U.S. Data Privacy Framework. As the word "new" suggests, there have been other frameworks in the past but, as we will explain later, they have been invalidated by the Court of Justice of the European Union for various reasons, including access to data by US intelligence services.

But wait, let's take it step by step. I will list here some key questions that will better define what this new decision of the European Commission means, which will greatly influence international trade relations in the coming years:

• What is an adequacy decision?

An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries. As a result, personal data can flow freely and safely from the European Economic Area (EEA). In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data.

• But what are the criteria to assess adequacy?

The European data protection authorities have developed a list of elements that must be taken into account for this assessment, such as the existence of core data protection principles, individual rights, independent supervision and effective remedies, as well as the Standards Contractual Clauses (the well known "SCCs").

• But why is this kind of international regulatory movement necessary?

Well, it's a complex question and involves a quick history lesson on the two previous adequacy decisions, the so-called "Safe Harbor" and "Privacy Shield".

Remember back in 2013 when Edward Snowden revealed that the US government was using "big tech" companies and programs to spy on the rest of the world without the need for probable cause or judicial approval? Yeah, well... This was not limited to crime nor terrorism, but also included spying on US "partners".

Since 1995, when there was already an EU law stating that personal data generally cannot be sent outside the EU unless there is "essentially equivalent" protection in the destination country, the US industry relied heavily on a European Commission decision called "Safe Harbor", which declared the US "essentially equivalent" in 2000. However, the Court of Justice of the European Union annulled the Commission's decision in the famous case called "Schrems I" in 2015, due to the invasive US surveillance laws. Then, in 2016, the European Commission had to do another legal juggling to pass the same decision on data transfers between the EU and the US again, under the new name "Privacy Shield", which was invalidated, again, by the Court of Justice of the European Union in the "Schrems II" case in 2020, largely for the same reasons.

• But what on earth is Schrems?

Well, its not what, but who.

Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency as part of the NSA's PRISM program.

As a matter of interest, Max Schrems once said, quote: "We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it."

• Ok, so what do the EU-U.S. Data Privacy Framework stands for?

Since the invalidation of the so-called EU-US Privacy Shield by the Court of Justice of the European Union in the "Schrems II" case, as we have just explained, a long and costly dialog between the US and the European Union has been ongoing since 2020 to give birth to the EU-US Data Privacy Framework.

Thus, this adequacy decision in turn, legitimizes transfers of personal data from EU countries to the United States for commercial purposes. That way, European entities are able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.

This decision by the European Commission is part of a mutual dialog effort with US authorities, demonstrating a commitment by the US to, for example, limit access by government intelligence agencies and adhere to a series of data protection adequacy standards acceptable to the Commission. That way, US companies can certify their participation in the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations. This could include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.

Well, dear colleagues, I hope that i have managed to shed some light on what is happening in the current data protection landscape around the globe.?