Blog » NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
14 September 2023
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.
Based on the adequacy decision that preceded the new EU-US Data Privacy Framework, the so-called Privacy Shield, adopted in 2016, US companies could register under the Privacy Shield and once they did so, the European Commission recognised that the US provided adequate protection for personal data transferred to such companies. This meant that no additional safeguards were needed for data transfers to such companies.
However, the CJEU, in the 2020 Schrems II judgment, invalidated the Privacy Shield stating that US laws did not provide adequate protection, in particular, due to the excessive rights of the national security organisations and lack of appropriate legal remedies.
In the absence of the adequacy decision, parties making such transfers should have applied a complex set of rules providing other additional safeguards, most commonly the standard data protection clauses adopted by the European Commission.
However, following the negotiations between EU and the US, the US passed a legislation aimed at addressing the problems identified in the Schrems II judgment.
2. EU – US Data Privacy Framework
After the above-mentioned legislation, the European Commission concluded that the US now ensures an adequate level of protection for personal data transferred from the EU to companies participating in the EU-US Data Privacy Framework.
The Commission has based its decision on the following.
The Framework, by adopting new set of rules and binding safeguards, limits access to EU data by US intelligence services to what is necessary and proportionate.
Moreover, the new Framework provides access for EU citizens to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC).
Based on the above, personal data can be transferred to US companies participating in the EU-US Data Privacy Framework without being subject to any further conditions or authorisations. Consequently, the transatlantic data transfers may be based on solely on the Framework, instead of the currently used standard contractual clauses.
3. Certification of the US companies
It is noted that to participate in the Framework, US companies, shall, of course, comply with Framework, and, similar to the previous Privacy Shield, make a certification application to be added to the “Data Privacy Framework List”.
Once the US organisation are placed in the above-mentioned List, it can receive personal data on the basis of the Framework.
Moreover, US companies, who are already registered in the previous Privacy Shield, can rely immediately on the Framework but they shall also take actions to comply with the new Framework until 10 October 2023, for instance, they need to update their privacy policies.
After the invalidation of the Privacy Shield, the situation for companies that transfer a personal data to the US has become more difficult, as companies should apply specific data protection clauses to each transfer to the US.
However, the recently adopted EU – US Data Privacy Framework remedied the problems identified in the Schrems II judgment, subsequently, according to the European Commission, the US now provides the effective legal protection as well as the right to an adequate judicial remedy for those whose personal data are made available to US national security organisations.
The adoption of Framework significantly makes it easier to transfer personal data from the EU to the US, as a certified US company can receive personal data from the EU solely based on the Framework instead of the currently used standard contractual clauses.
However, it is noted that US companies, can only use the Framework if they apply for certification and they are added to the Data Privacy Framework List.
Those US companies, who are already registered in the previous Privacy Shield, are in a better position as they can rely immediately on the Framework, but they shall also take actions to comply with the new Framework until 10 October 2023.
DANGEROUS LIASONS? – THE RELATION OF INTERNATIONAL COMMERCIAL ARBITRATION WITH EU LAW AND THE EUROPEAN HUMAN RIGHTS CONVENTION
Our managing partner, dr.Richard Schmidt LL.M was invited by the Legal Division of the Hungarian Chamber of Commerce and Industry and the Hungarian Commercial Arbitration Court to make a presentation on the sometimes stormy relation of international commercial arbitration with EU law and the European Convention of Human Rights.Read more »
30 DAYS FOR HUNGARIAN SMEs TO CREATE WHISTLEBLOWING SYSTEM
The Hungarian Whistleblower Protection Act has entered into force this July. While bigger companies have to operate the internal whistleblowing system since the above date, medium sized businesses (50-250 employees) were given a prolonged period until the 17th of December 2023 to implement the reporting channel. Since the deadline is approaching, we summarize how Hungarian SMEs can comply with the ActRead more »
NEW HUNGARIAN CONSTRUCTION ACT UNDER WAY - WHAT WILL BE THE MAIN CHANGES?
The draft of the new Hungarian Construction Act was recently published for public consultation. Although the act only lays down the general rules, and details will be laid down in other regulations that are not yet known, several new features can already be seen in the draft. In our short article we summarise a few important changes.Read more »