EU–US Data Privacy Framework
{{Short description|Regulatory framework}}
The EU–US Data Privacy Framework is a European Union–United States data transfer framework that was agreed to in 2022{{cite web |last1=McCabe |first1=David |last2=Stevis-Gridneff |first2=Matina |title=U.S. and European leaders reach deal on trans-Atlantic data privacy. |url=https://www.nytimes.com/2022/03/25/business/us-europe-data-privacy.html |website=The New York Times |access-date=28 March 2022 |date=25 March 2022}}{{cite web|access-date=2022-11-01|title=Biden Executive Order Supports New EU-U.S. Data Privacy Framework for Trans-Atlantic Transfers of Data|url=https://www.natlawreview.com/article/biden-executive-order-supports-new-eu-us-data-privacy-framework-trans-atlantic|website=The National Law Review}} and declared adequate by the European Commission in 2023.{{Cite web |date=10 July 2023 |title=Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows |url=https://ec.europa.eu/commission/presscorner/detail/en/IP_23_3721 |access-date=2024-03-05 |website=European Commission - European Commission}} Previous such regimes—the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015)—were declared invalid by the European Court of Justice in part due to concerns that personal data leaving EU borders is subject to sweeping US government surveillance. The EU-US Data Privacy Framework is intended to address these concerns.{{cite news|first1=David|last1=Shepardson|first2=Philip|last2=Blenkinsop|access-date=2022-11-01|title=Biden signs order to implement EU-U.S. data privacy framework|url=https://www.reuters.com/technology/biden-signs-order-implement-eu-us-data-privacy-framework-2022-10-07/|newspaper=Reuters|date=8 October 2022}}{{cite web|access-date=2022-11-01|title=US expected to publish Privacy Shield executive order next week|url=https://www.politico.eu/article/us-expected-to-publish-privacy-shield-executive-order-next-week/|date=27 September 2022|website=Politico}}{{cite web|access-date=2022-11-01|title=Legal Questions Loom Over Latest Trans-Atlantic Data Flows Deal|url=https://news.bloomberglaw.com/privacy-and-data-security/legal-questions-loom-over-latest-trans-atlantic-data-flows-deal|website=news.bloomberglaw.com}}
After the invalidation of the EU–US Privacy Shield in July 2020, companies wishing to transfer data between the EU and the US "have faced confusion, higher compliance costs, and challenges for EU–US business relationships".
The European Parliament raised substantial doubts whether the new agreement reached by Ursula von der Leyen actually conforms with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and fails to enforce basic human digital rights in the EU.{{Cite web |title=Texts adopted - Adequacy of the protection afforded by the EU-U.S. Data Privacy Framework - Thursday, 11 May 2023 |url=https://www.europarl.europa.eu/doceo/document/TA-9-2023-0204_EN.html |access-date=2024-05-30 |website=www.europarl.europa.eu |language=en}} In May 2023, a resolution on this matter passed the European Parliament with 306 votes in favor and 27 against.{{Cite web |title=Procedure File: 2023/2501(RSP) {{!}} Legislative Observatory {{!}} European Parliament |url=https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2023/2501(RSP) |access-date=2024-05-30 |website=oeil.secure.europarl.europa.eu}} The NGO NOYB (European Center for Digital Rights) has announced that it will challenge the framework again before the European Court of Justice.{{Cite web |title=European Commission gives EU-US data transfers third round at CJEU |url=https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu |access-date=2024-05-30 |website=noyb.eu |language=en}}
History
On March 25, 2022, it was announced that the European Commission and the United States had committed to a "Trans-Atlantic Data Privacy Framework" in reaction to the failure of the EU-US Privacy Shield.{{Cite web |date=2022-03-25 |title=FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework |url=https://bidenwhitehouse.archives.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/ |access-date=2024-03-05 |website=The White House |language=en-US}}
In October 2022, U.S. President Joe Biden signed an executive order to implement the framework.
In May of 2023, the European Data Protection Board approved the Commission's adequacy decision draft that was published on December 13, 2022.{{cite web |date=28 February 2023 |title=Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU–US Data Privacy Framework |url=https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-52023-european-commission-draft-implementing_en |access-date=2023-03-01 |publisher=European Data Protection Board}}
Although not binding on the European Commission, on 11 May 2023 the European Parliament voted in favour of a resolution calling on the Commission to renegotiate the Framework{{Cite web |last=Silver |first=Andrew |date=2023-05-12 |title=Parliament calls on Commission not to adopt EU-US data deal |url=https://www.researchprofessionalnews.com/rr-news-europe-regulation-2023-5-parliament-calls-on-commission-not-to-adopt-eu-us-data-deal/ |access-date=2023-08-14 |website=Research Professional News |language=en-GB}} and not to adopt an adequacy finding on the basis that "the EU–U.S. Data Privacy Framework fails to create essential equivalence in the level of protection".{{Cite web |date=11 May 2023 |title=Texts adopted – Adequacy of the protection afforded by the EU-U.S. Data Privacy Framework |url=https://www.europarl.europa.eu/doceo/document/TA-9-2023-0204_EN.html |access-date=2023-06-16 |publisher=European Parliament |language=en}}
On July 10 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, thereby allowing transfer of personal data from the EU to the U.S. on the basis of Article 45 of the GDPR.
Under the new Trump Administration doubts have arisen as to the future of the Framework.{{cite web |date=28 February 2025 |title=Deafening Commission silence with no credible EU-US data oversight left |url=https://www.euractiv.com/section/tech/news/deafening-commission-silence-with-no-credible-eu-us-data-oversight-left/ |access-date=2025-03-01 |publisher=Euractiv}}
Data Protection Review Court
The Data Protection Review Court (DPRC) is a three-judge panel, established in Executive Order 14086 of 7 October 2022, which will deal with appeals made to the decisions of the Civil Liberties Protection Officer of the Office of the Director of National Intelligence as described by the EU-U.S. Privacy Framework.{{Cite web |title=Executive Order 14086 Enhancing Safeguards for United States Signals Intelligence Activities |url=https://www.federalregister.gov/executive-order/14086 |first=Joe |last=Biden |authorlink1=Joe Biden |date=7 October 2022 |access-date=2024-03-11 |website=Federal Register}} The decisions made by the DPRC have binding authority.{{CodeFederalRegulations|28|201.9}}(g){{Cite web |title=Press corner |url=https://ec.europa.eu/commission/presscorner/home/en |access-date=2023-01-30 |website=European Commission - European Commission |language=en}}
See also
References
{{reflist}}
External links
- [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en EU-US data transfers] webpage of the European Commission
- [https://www.dataprivacyframework.gov/ Data Privacy Framework List] website of the US International Trade Administration
- [https://eur-lex.europa.eu/eli/dec_impl/2023/1795 Commission Implementing Decision EU 2023/1795] of the European Commission on EUR-Lex
- [https://www.law.cornell.edu/cfr/text/28/part-201 28 CFR Part 201] (Data Protection Review Court) of the US Code of Federal Regulations from the LII
- [https://www.ecfr.gov/current/title-28/part-201 28 CFR Part 201] (Data Protection Review Court) of the US Code of Federal Regulations from the OFR