With respect to consumer and personal data collected by online businesses, sites, and sales platforms, the European Union (“EU”) and the United States have different statutory and regulatory regimes. There are many similarities, but there are also significant differences. However, given that so much business is global and cross-border, enormous flows of personal and consumer data transfer between the various nations of Europe and the United States. Moreover, data storage is also global, and a U.S.-based company may have huge amounts of data stored at European-based data storage facilities. Stored data must be accessed and this created another enormous flow of data between Europe and the U.S.

In the absence of some sort of standardization, these data flows will be impeded as regulators on both sides of the Atlantic Ocean seek to enforce different legal standards. Just as importantly, businesses face uncertainty as to whether they will face administrative or regulatory enforcement actions. Uncertainty is generally a “bad” thing for businesses.

What is the EU – U.S. Data Privacy Framework?

In response to these concerns, the EU – U.S. Data Privacy Framework (“DPF”) was drafted, promulgated, and approved in the summer of 2023. The DPF is a set of rules and guidelines that allow businesses to be certified as compliant with both European and U.S. privacy laws and regulations. The EU’s regulations are called the General Data Protection Regulation (“GDPR”), and the U.S. has a set of State-level laws such as the recently enacted Kentucky Consumer Data Protection Act.

The first such law was enacted by California in 2018 and there are now about 19 States with similar laws. The California statute was based on the GDPR and the other U.S. State laws have been based on the California version. Thus, there is a lot of similarity between the European and American data regulations and rules. For this reason, it is not too difficult for companies to become compliant with the requirements of the two regulatory regimes. Once a company has become certified under the DPF, cross-border and cross-Atlantic data transfers can flow unimpeded without too much risk of regulatory or administrative enforcement actions. Certifications must be annually renewed.

There were previous versions of the DPF called the EU-U.S. Safe Harbor and then the EU-U.S. Privacy Shield. For various reasons, those were deemed invalid and have now been replaced with the DPF.

What was the “problem” that resulted in the new EU – U.S. Data Privacy Framework?

The general rules and regulations for protecting personal and consumer data are similar between the GDPR and U.S. State statutes. Generally speaking, the rules/regulations require businesses collecting and processing data to give notices of what data is being collected/processed, to obtain consents allowing collection/processing, to allow a person access to their data, to allow a person to opt-out of having data processed, and more.

However, access — or potential access — by U.S. intelligence services to European personal data became the issue that led to the new DPF. As discussed here, the new DPF builds safeguards limiting access to data by US intelligence authorities to what is necessary and proportionate to protect national security, enhances oversight of activities by US intelligence services, and establishes a new Data Protection Review Court to investigate and resolve complaints regarding access to data by US national security authorities.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.