What is the EU – U.S. Data Privacy Framework? featured image

What is the EU – U.S. Data Privacy Framework?

by John DiGiacomo

Partner

Internet Law

With respect to consumer and personal data collected by online businesses, sites, and sales platforms, the European Union (“EU”) and the United States have different statutory and regulatory regimes. There are many similarities, but there are also significant differences. However, given that so much business is global and cross-border, enormous flows of personal and consumer data transfer between the various nations of Europe and the United States. Moreover, data storage is also global, and a U.S.-based company may have huge amounts of data stored at European-based data storage facilities. Stored data must be accessed and this created another enormous flow of data between Europe and the U.S.

In the absence of some sort of standardization, these data flows will be impeded as regulators on both sides of the Atlantic Ocean seek to enforce different legal standards. Just as importantly, businesses face uncertainty as to whether they will face administrative or regulatory enforcement actions. Uncertainty is generally a “bad” thing for businesses.

What is the EU – U.S. Data Privacy Framework?

In response to these concerns, the EU – U.S. Data Privacy Framework (“DPF”) was drafted, promulgated, and approved in the summer of 2023. The DPF is a set of rules and guidelines that allow businesses to be certified as compliant with both European and U.S. privacy laws and regulations. The EU’s regulations are called the General Data Protection Regulation (“GDPR”), and the U.S. has a set of State-level laws such as the recently enacted Kentucky Consumer Data Protection Act.

The first such law was enacted by California in 2018 and there are now about 19 States with similar laws. The California statute was based on the GDPR and the other U.S. State laws have been based on the California version. Thus, there is a lot of similarity between the European and American data regulations and rules. For this reason, it is not too difficult for companies to become compliant with the requirements of the two regulatory regimes. Once a company has become certified under the DPF, cross-border and cross-Atlantic data transfers can flow unimpeded without too much risk of regulatory or administrative enforcement actions. Certifications must be annually renewed.

There were previous versions of the DPF called the EU-U.S. Safe Harbor and then the EU-U.S. Privacy Shield. For various reasons, those were deemed invalid and have now been replaced with the DPF.

What was the “problem” that resulted in the new EU – U.S. Data Privacy Framework?

The general rules and regulations for protecting personal and consumer data are similar between the GDPR and U.S. State statutes. Generally speaking, the rules/regulations require businesses collecting and processing data to give notices of what data is being collected/processed, to obtain consents allowing collection/processing, to allow a person access to their data, to allow a person to opt-out of having data processed, and more.

However, access — or potential access — by U.S. intelligence services to European personal data became the issue that led to the new DPF. As discussed here, the new DPF builds safeguards limiting access to data by US intelligence authorities to what is necessary and proportionate to protect national security, enhances oversight of activities by US intelligence services, and establishes a new Data Protection Review Court to investigate and resolve complaints regarding access to data by US national security authorities.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side

Let's Discuss Your Case