EU US Privacy Shield

On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (DPF) by adopting an "adequacy decision." Adequacy decisions are one of the legal mechanisms under the EU's General Data Protection Regulation (GDPR) for transferring personal data from the European Union (EU) to other countries which, in the eyes of the European Commission, offer sufficient privacy and data protection. The DPF adequacy decision recognizes that, although the United States has a different approach to data protection than the EU, personal data transferred to the U.S. under the DPF is considered to be adequately protected in line with the GDPR's rules on international data transfers. The European Commission takes the position that personal data can flow freely and safely from the EU to U.S. companies that are participating in the new framework.

Transfers of personal data from the EU to the U.S. have generated much controversy over the past few years. In 2020, the Court of Justice of the EU invalidated the DPF's predecessor, the EU-U.S. Privacy Shield, following a complaint by Austrian privacy activist Maximilian Schrems and his nonprofit organization NOYB (known as the Schrems II case). In the Schrems II case, questions were raised about how personal data of EU users of social network Facebook was available to U.S. authorities (e.g., the National Security Agency) in a manner that was considered incompatible with the EU Charter of Fundamental Rights. The Court of Justice was particularly concerned that U.S. intelligence agencies could access personal data from EU individuals beyond what is necessary and proportionate and that there was no independent and impartial redress mechanism to handle complaints from EU individuals.

In the wake of the Schrems II case, the European Commission and the U.S. government engaged in intense negotiations to set up a new and enhanced EU-U.S. data transfer structure—the DPF—that addresses the concerns of the Court of Justice. In support of this initiative, U.S. President Joe Biden signed an executive order that aims to provide additional protections for EU individuals whose personal data is transferred to the U.S., including:

|
  • Data access limitations imposed on the U.S. intelligence community to ensure that they only access what is necessary and proportionate to protect national security.
  • Enhanced oversight of the surveillance activities that U.S. intelligence agencies are involved in.
  • The creation of a new, two-layered redress mechanism for handling and resolving complaints from EU individuals with concerns about the (potential) collection and use of their personal data by the U.S. intelligence community. The new mechanism features a low entry threshold: EU individuals will be able to submit complaints to their local data protection authority in their own language. The data protection authority will subsequently transmit the complaints to the United States, via the European Data Protection Board.

Following a lengthy assessment, the European Commission ultimately found that the additional data access limitations, safeguards, and redress possibilities that the United States has committed to implement in the context of the new framework suffice to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the DPF.

Complete your profile to continue reading and get FREE access to Treasury & Risk, part of your ALM digital membership.

Your access to unlimited Treasury & Risk content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Thought leadership on regulatory changes, economic trends, corporate success stories, and tactical solutions for treasurers, CFOs, risk managers, controllers, and other finance professionals
  • Informative weekly newsletter featuring news, analysis, real-world case studies, and other critical content
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the employee benefits and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.