What is the EU – U.S. Data Privacy Framework? featured image

What is the EU – U.S. Data Privacy Framework?

by John DiGiacomo

Partner

Internet Law

With respect to consumer and personal data collected by online businesses, sites, and sales platforms, the European Union (“EU”) and the United States have different statutory and regulatory regimes. There are many similarities, but there are also significant differences. However, given that so much business is global and cross-border, enormous flows of personal and consumer data transfer between the various nations of Europe and the United States. Moreover, data storage is also global, and a U.S.-based company may have huge amounts of data stored at European-based data storage facilities. Stored data must be accessed and this created another enormous flow of data between Europe and the U.S.

In the absence of some sort of standardization, these data flows will be impeded as regulators on both sides of the Atlantic Ocean seek to enforce different legal standards. Just as importantly, businesses face uncertainty as to whether they will face administrative or regulatory enforcement actions. Uncertainty is generally a “bad” thing for businesses.

What is the EU – U.S. Data Privacy Framework?

In response to these concerns, the EU – U.S. Data Privacy Framework (“DPF”) was drafted, promulgated, and approved in the summer of 2023. The DPF is a set of rules and guidelines that allow businesses to be certified as compliant with both European and U.S. privacy laws and regulations. The EU’s regulations are called the General Data Protection Regulation (“GDPR”), and the U.S. has a set of State-level laws such as the recently enacted Kentucky Consumer Data Protection Act.

The first such law was enacted by California in 2018 and there are now about 19 States with similar laws. The California statute was based on the GDPR and the other U.S. State laws have been based on the California version. Thus, there is a lot of similarity between the European and American data regulations and rules. For this reason, it is not too difficult for companies to become compliant with the requirements of the two regulatory regimes. Once a company has become certified under the DPF, cross-border and cross-Atlantic data transfers can flow unimpeded without too much risk of regulatory or administrative enforcement actions. Certifications must be annually renewed.

There were previous versions of the DPF called the EU-U.S. Safe Harbor and then the EU-U.S. Privacy Shield. For various reasons, those were deemed invalid and have now been replaced with the DPF.

What was the “problem” that resulted in the new EU – U.S. Data Privacy Framework?

The general rules and regulations for protecting personal and consumer data are similar between the GDPR and U.S. State statutes. Generally speaking, the rules/regulations require businesses collecting and processing data to give notices of what data is being collected/processed, to obtain consents allowing collection/processing, to allow a person access to their data, to allow a person to opt-out of having data processed, and more.

However, access — or potential access — by U.S. intelligence services to European personal data became the issue that led to the new DPF. As discussed here, the new DPF builds safeguards limiting access to data by US intelligence authorities to what is necessary and proportionate to protect national security, enhances oversight of activities by US intelligence services, and establishes a new Data Protection Review Court to investigate and resolve complaints regarding access to data by US national security authorities.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case