With this decision, the EU Commission confirms that an adequate level of protection for personal data is guaranteed in the USA via the new data privacy framework, comparable to the standards of protection within the EU via the GDPR regulations. However, this only applies if personal data are transmitted from the EU to US companies that participate in the EU-US Data Privacy Framework via self-certification.
The aim of the new data privacy framework is to place the transmission of personal data from the EU to the USA on a new legal basis, taking into account the criticism voiced by the European Court of Justice (ECJ) in 2020 and the failure of the “Privacy Shield”. The reason for the ECJ’s rejection of the Privacy Shield (ECJ judgment of 16 July 2020, C-311/18 – Schrems II) was, as is well known, that US authorities were able to access personal data of EU citizens and that the data subjects have not been granted effectively enforceable rights against these accesses that meet the requirements of the EU Charter of Fundamental Rights.
High Relevance to Practice
U.S. companies that want to benefit from the new data privacy framework must comply with the principles set forth in the EU-U.S. Data Privacy Framework.
The Data Privacy Framework Program website, which has been launched by the U.S. Department of Commerce meanwhile, lists all U.S. companies that participate in this program and have made a self-certification commitment to the U.S. Department of Commerce.
In addition, an independent Data Protection Review Court (DPRC) will be set up in the USA to accompany the DPF on the basis of an Executive Order issued by U.S. President Biden on 7 October 2022, which will give EU citizens the opportunity to have reviewed by an independent instance for their legality the access to their personal data by U.S. intelligence services.
In practice, the EU-U.S. Data Privacy Framework means that, for the time being, EU companies have more legal certainty if they want to cooperate with US companies certified under the DPF in the US in the area of personal data processing. Criticism of the new agreement has also been voiced from various sides, who do not see a real paradigm shift compared to the previous treaties. In the end, however, it can be said that the new EU-U.S. Data Privacy Framework gives companies in the EU the opportunity to take a breath.