New EU, U.S. privacy framework sets clear data transfer rules
President Joe Biden signed an executive order on a long-awaited European Union-U.S. Data Privacy Framework last month, giving companies legal clarity for data transfers.
The new European Union-U.S. Data Privacy Framework has re-established clear data sharing rules between the two entities, giving companies that handle EU personal data legal peace of mind.
The data privacy framework is a mechanism for companies, such as social media platforms, that transfer personal data between data centers in the U.S. and EU. While the EU has GDPR protecting its citizens' right to data privacy, the U.S. has no such law, making a compliance framework for data sharing necessary. President Joe Biden implemented the new data privacy framework through an executive order in October.
The U.S. spent two years crafting the new data privacy framework after the EU's Court of Justice struck down the prior data sharing framework, the EU-U.S. Privacy Shield, which was enacted in 2016. The privacy shield was invalidated following the Schrems II court ruling that found fault in how the U.S. government was accessing and using EU personal data.
But without a national framework, companies were also left in limbo and risked facing noncompliance with the EU's GDPR.
Not having that adequacy agreement in place definitely impacted businesses' ability to have compliant data transfers to the U.S.
Cobun Zweifel-Keegan Managing director, International Association of Privacy Professionals
"There are multiple legal mechanisms for transferring personal data from the EU to the U.S, but privacy shield was the most achievable of those mechanisms and provided the broadest coverage for different types of data transfers," said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals in Washington, D.C. "Not having that adequacy agreement in place definitely impacted businesses' ability to have compliant data transfers to the U.S."
How companies adapted
Many U.S. companies rely on multiple data transfer mechanisms, including standard contractual clauses between companies, to meet GDPR requirements, which Zweifel-Keegan said became more common following invalidation of privacy shield.
Still, contractual clauses don't address all data transfers that fall within GDPR's scope, such as directly collecting information from data subjects in the EU and transferring that data to the U.S. -- a type of transfer that was covered under the privacy shield agreement.
Some companies reduced the type of data transfers and the quantity of data taken from the EU. Others separated EU and U.S. business operations by creating local data centers in the EU, which in turn created data silos, Zweifel-Keegan said.
"They've tried everything they can to comply with the requirements that are in place, but it's been a very uncertain legal regime for the past couple of years," he said.
Data privacy framework brings back legal certainty
Although the U.S. awaits confirmation that its data transfer commitments are adequate, U.S. companies can already rely on the new data privacy framework, Zweifel-Keegan said.
Most of the changes in the framework focused on altering U.S. intelligence agencies' access to and handling of EU data, which was the basis for invalidating privacy shield. Due to the U.S. commitments outlined in the executive order, such as mandates for handling personal data and a redress mechanism for EU citizens should they feel their data was illegally collected, Zweifel-Keegan said the government addressed concerns raised by the Shrems II decision.
Zweifel-Keegan said it will be a "relatively easy lift" for companies certified under privacy shield to modify their data sharing practices and become certified under the new framework, which outlines similar data sharing practices.
The U.S. Department of Commerce has indicated there will be adjustments to the commercial data sharing requirements in the new framework down the road, but they have yet to be announced. Those changes will likely be "ministerial," Zweifel-Keegan said.
If companies do face costs when implementing the new framework, they'll need to consider whether those costs outweigh the risks they faced previously by not having the right legal data transfer mechanism in place, said Cristobal Cheyre, assistant professor in Cornell University's information science department.
In the two years since privacy shield was invalidated, Cheyre said companies like Meta and Google have faced multiple lawsuits over the transfer of data between the U.S. and EU. The new data privacy framework brings back clear directions for companies to legally transfer data, he said.
"The cost of implementing these measures may be small compared to being faced with not being able to use the data or having to defend yourself from these lawsuits," Cheyre said. "That's the tradeoff companies have to take into account."
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.
