If you are engaged in cross-border activities, e-commerce, providing online services, or collaborating with US entities, we have promising news for you. The long-awaited EU-US Data Privacy Framework has finally come into effect, heralding a new era in transatlantic data transmission. This regulatory development aims to simplify the process of transferring personal data from the Europan Union (and potentially Serbia in the near future) to the United States, offering you the advantage of bypassing intricate procedures such as incorporating SCCs (Standard Contractual Clauses) into data transfer agreements, implementing the DTIA (Data Transfer Impact Assessment), and undertaking other safeguarding measures for data being transferred to foreign territories.
On July 10, 2023, an adequacy decision was adopted by European Commission. The decision was a product of three-year-long negotiations and cooperation between the European Union and the United States authorities regarding the transfer of personal data from the EEA (European Economic Area) to the United States territory. Previously, the American President signed an Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, thereby ensuring a higher level of personal data protection within the US borders and paving the way for the adoption of the EU’s adequacy decision.
Timeline and Challenges of Transatlantic Personal Data Transfer
The GDPR (General Data Protection Regulation) establishes requirements for transferring data from the European Union to third countries and data can be transferred freely to non-EU countries only if the authorities of the EU have determined that the legislation of the recipient country ensures an adequate level of protection. The United States’ status on this matter has not been consistent in the previous period.
For a better understanding of what led to the new EU-US Data Privacy Framework, here you can find a chronological sequence of events:
The GDPR (General Data Protection Regulation) establishes requirements for transferring data from the European Union to third countries and data can be transferred freely to non-EU countries only if the authorities of the EU have determined that the legislation of the recipient country ensures an adequate level of protection. The United States’ status on this matter has not been consistent in the previous period.
For a better understanding of what led to the new EU-US Data Privacy Framework, here you can find a chronological sequence of events:
- The first time the US made it to the list of countries considered to offer equal data protection as EU member states were in the year 2000 when Safe Harbour Privacy Principles were developed.
- In 2015, after it was revealed how America’s government accesses data stored by American big tech companies, the European Court of Justice issued the Schrems I judgment[1] that nullified Safe Harbour Agreement. This decision deprived the US of its privileged position.
- After that, in 2016, a new framework called EU-U.S. Privacy Shield came into effect and data transfer to the US was once again facilitated.
- In 2020, American entities got deja vu when the European Court of Justice issued the Schrems II judgment[2], invalidated EU-U.S. Privacy Shield, and tightened the rules regarding international transfer once again.
- Now, in 2023, we are witnessing new cooperation in the field of data protection between the EU and the US. Only time will tell if history will repeat itself or if the third time really is a charm.
Main Changes Brought By The EU-US Data Privacy Framework
The EU-US Data Privacy Framework can be a pivotal shift in data transfer regulations. This regulatory update is set to revolutionize the way companies handle personal data between the European Union and the United States. In the following paragraphs, we delve into the key benefits this framework offers for data transfer, including simplified processes, heightened data protection measures, and improved redress mechanisms. Let’s explore how these changes are shaping the future of transatlantic data exchange.
a. Easier data transfer
Essentially, companies are encouraged to enforce privacy policies that comply with relevant data protection principles in order to facilitate the data transfer in which they participate and to avoid implementing standard contractual clauses and data transfer impact assessment. They can do so by obtaining certification from the US Department of Commerce, an American authority that will evaluate applications for certification and monitor ongoing compliance with the certification requirements.
b. Additional safeguards
EU-US Data Privacy Framework brings additional safeguards for the personal data of individuals from the European Union by limiting access to that information by American public authorities. Access to data is now restricted to the extent that is necessary and proportionate for safeguarding national security. Also, if personal data is not collected in accordance with the new safeguards or if it is no longer used for the purpose for which it was collected, this framework provides for the deletion of such data.
c. Independent and impartial redress mechanism
Individuals from the EU will have an opportunity to question data collection and to complain to independent and impartial authorities regarding the collection and processing of their personal data. Namely, a new redress mechanism will operate where individuals will be able to file complaints directly to their national data protection authorities. Afterward, complaints will be sent to the US via European Data Protection Board and evaluated by the United States Civil Liberties Protection Officer. In case of a negative decision, individuals could appeal to the newly created Data Protection Review Court (DPRC).
European Commission will keep watch on developments regarding data protection in the United States and continuously review this year’s adequacy decision.
Last but not least, mentioned safeguards are not restricted only to the personal data transfers to the certified companies, but will also take part in making all such transfers easier and safer, even in cases when standard contractual clauses need to be implemented. In case you want to learn more about the international transfer of personal data, we got you covered with our blog on the topic International transfer of personal data.
What if you are a US-based company?
If US companies want to benefit from the provisions of the EU-US Data Privacy Framework, they first need to adopt a privacy policy that is compliant with this regulation and get self-certified on the new website of the US Department of Commerce, which is operating from July 17, 2023. The US Department of Commerce will continuously oversee self-certified US companies to ensure their adherence to the EU-US Data Privacy Framework, which will also include random spot checks. The procedure for the companies that participated in the previous EU-U.S. Privacy Shield will be simplified if they self-certify by October 10, 2023.
Similarly, American companies can already sign up to receive personal data from the UK and Switzerland by using these mechanisms, but still can’t rely on them until adequate frameworks enter into force in these two countries.
What if you are an EU-based company?
European companies must be cautious about whom they send personal data to and they need to be aware of the obligation to ensure equal protection and security of personal data even when they are no longer under their exclusive control. If they send personal data to companies participating in the EU-US Data Privacy Framework, the transfer can be carried out without any obstacles or additional efforts.
On the other hand, if the data recipient is not certified by the US Department of Commerce, the international data transfer will be subject to existing rules, which include the obligation to implement standard contractual clauses, data transfer impact assessment, and take all necessary measures to achieve an equivalent level of data protection as provided by the GDPR.
The list of certified companies that meet the requirements to participate in the EU-US Data Privacy Framework will be maintained by the US Department of Commerce and made available on its website.
What if you are a Serbian company?
The Serbian Commissioner for Information of Public Importance and Personal Data Protection has not yet taken an official stance regarding the transfer of personal data to the US based on the EU-US Data Privacy Framework. Given that previously allowed free data transfers relied solely on the Privacy Shield (which is no longer valid), this issue remains to be resolved. However, considering that the data protection regulation of the Republic of Serbia tends to closely align with the EU regulation, we believe it’s only a matter of time before the benefits of this decision also impact data transfers from Serbia to the US.
The Framework Is Already Being Challenged
Chair of the non-profit organization NOYB, Max Schrems, has stated that he believes European Commission’s decision is a product of political interests, rather than genuine concern for individuals’ privacy as presented. He also said that EU-US Data Privacy Framework seems to be just a copy of previous agreements between the EU and the US regarding data protection, without any significant difference.
Additionally, NOYB has announced that they will challenge the new transatlantic deal as soon as the conditions for it are met, that is when its mechanism for the international transfer of data gets implemented.
It seems that the adequacy decision was a compromise, establishing a balance between achieving two essential goals.
One is to ensure that the transfer of personal data is always accompanied by equal protection, even when it involves transfers to other continents.
The other is to minimize barriers to economic growth by facilitating collaboration between European and American companies.
In any case, as long as EU-US Data Privacy Framework is in effect, companies will have the autonomy to assess whether they want to utilize its benefits and how they want to protect the personal data they collect and transfer.