Newly Agreed EU-US Data Privacy Framework Lifts Privacy Red Tape

Experts have welcomed the agreement of new privacy-focused rules on how personal data can be transferred between US and EU companies.

The EU-US Data Privacy Framework was developed to replace the Privacy Shield, which was invalidated through a decision by the European Court of Justice in 2020.

The court acted over concerns over a lack of adequate safeguards in both Privacy Shield (and an earlier safe harbour agreement) which meant that personal data leaving EU borders might become subject to sweeping US government surveillance.

Cleared To Transmit

The EU-US Data Privacy Framework, put forward by the US government last year, was endorsed by the European Commission in July 2023 after deciding that the US “ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework”.

This “adequacy decision” means personal data can “flow safely from the EU to US companies participating in the framework” without the need for additional data protection safeguards required under interim pre-agreement measures.

Commitments

The DPF program website provides information on how companies can update their privacy policies and procedures and implement safeguards before self-certifying themselves as compliant and joining the DPF program. European organisations can use the same website to check a partner’s DPF program commitments.

The framework grants EU individuals whose data gets transferred to participating companies in the US several new rights, such as the right to access, correct, and delete their personal data.

The trans-Atlantic data flow deal promises to remove existing bureaucratic obstacles and uncertainties.

Reducing Uncertainties

Becky White, a data protection and privacy solicitor at UK law firm Harper James, said the framework promised to simplify doing business between European and US companies while warning that some potential obstacles to its implementation are yet to be overcome.

“Although the proposed data bridge is welcome news for organisations in both the US and the UK, particularly in light of ongoing uncertainties regarding international data transfers, and should mean that the process of contracting with suppliers or customers in the US becomes much more straightforward and less time consuming for UK businesses, the UK has some critical hurdles to surmount before it is implemented. Aspects of policy and legislative alignment work on both sides of the Atlantic remain incomplete, White warned

“Firstly, it will depend on the US designation of the UK as a qualifying state under President Biden’s Executive Order 14086 (which established data protection safeguards for US signals intelligence agencies),” White explained.

“In addition, the UK government’s proposed Data Protection and Digital Information Bill (DPDI 2) is fairly close to enactment, and although the government continues to assert that the planned changes to the UK data protection regime will not jeopardise EU adequacy, no confirmation of that has been made by the EU.”

Building Cybersecurity Resilience

Pooling intelligence and data sharing is vital in building robust cybersecurity defences.

Jon France, CISO at the cybersecurity industry professional development and certification association (ISC)², told ISMS.online that lifting obstacles to cross-Atlantic data sharing will improve cybersecurity cooperation.

“The adequacy decision on the EU-US Data Privacy Framework introduces significant improvements for companies on both sides of the Atlantic,” according to France. “It is encouraging that we are reaching a state where cross-border data flow is ensured, and companies participating in the framework will have the freedom to transfer data safely.”

France continued: “In the security world, access to data is key for the detection and remediation of attacks. The ability to move such data between transatlantic parties, in both the public and private sectors, will improve defences across both continents.”

The promise of improved security offered by the framework will only be fulfilled if organisations get their own house in order, France warned.

“Upholding privacy relies on and requires effective cybersecurity; the two go hand in hand,” according to France. “Organisations have a responsibility to maintain an adequate level of protection of personal data, including strict obligations on sharing with third parties, and must comply with privacy principles, such as limitations on data retention.”
France concluded: “At their core, businesses should adopt robust cybersecurity practices to safeguard data and build digital trust.”

Policy Harmonisation

Sam Peters, ISMS.online’s CPO welcomed the agreement as a helpful aid in navigating the intricacies of data protection rules.
“The recent EU-US data adequacy agreement marks a significant milestone in the international data privacy landscape,” Peters explained. “It outlines a critical framework that not only aims to safeguard personal data transferred across the Atlantic but also to enhance compliance, transparency, and accountability for US companies.”

Peters continued: “The agreement is not just another bureaucratic hurdle but a vital tool to navigate the intricacies of data protection in our increasingly interconnected digital world. This agreement presents a solid framework for harmonising data transfer policies across the Atlantic, placing stringent privacy obligations on participating US companies.”

Tenets

The agreement offers a framework to apply privacy protection best practices.

“At the heart of this agreement is the EU-U.S. Data Privacy Framework,” according to Peters. “This scheme enables US companies to validate their commitment to a comprehensive set of privacy obligations. It champions purpose limitation, data minimisation, and data retention and outlines specific obligations concerning data security and sharing with third parties.”

Peters added: “Such measures exemplify the agreement’s intent to fortify data safeguarding. These commitments are not merely principles on paper; they directly influence businesses’ operational strategies.”

The US Department of Commerce will handle the framework’s administration, overseeing the certification application process and monitoring participating companies’ ongoing compliance. The US Federal Trade Commission enforces compliance, indicating a “strong commitment to the accord’s data protection objectives”, according to ISMS.online’s Peters.

Data Bridge

UK data handling rules must align with EU regulations to avoid upsetting a delicate balance.

Harper James’ White warned: “If the enactment of DPDI 2 overturns the UK EU adequacy decision, this may, in turn, impact the implementation of the UK-US data bridge, which is broadly seen as an extension to the EU-US data privacy framework currently being assessed and an alignment of the position under the UK GDPR with the EU GDPR for data transfers from the UK to US organisations that certify for the scheme.

Get Ready

The adequacy decision took effect from its adoption on 10 July. There’s no explicit timeline for compliance. However, the European Commission is scheduled to review the effectiveness of the US legal framework periodically, initially one year into the introduction of the framework.

ISMS.online’s Peters warned: “It’s essential to note that adequacy decisions can be adapted or withdrawn if developments impact the third country’s protection level.”

Companies should waste no time in reviewing their policies and procedures to meet the provisions of the framework, Peters advised.

“To be prepared for this transformative data privacy landscape, businesses must start by thoroughly reviewing their current data handling practices,” ISMS.online’s Peters explained. “Ensuring alignment with the framework’s principles will be crucial in validating compliance and avoiding potential regulatory penalties.”

Peters concluded: “The EU-US data adequacy agreement undeniably adds a new dimension to the global data privacy arena. In the short term, businesses might see this as an added regulatory burden. However, data privacy and security are increasingly important to consumers and businesses. In this respect, the agreement catalyses positive change, enforcing a global standard for data protection.”