The EU and U.S. flags are seen as binary data streams.

Understanding the New EU–U.S. Data Privacy Framework

March 5, 2024 | Purdue Global Law School

The free flow of data is essential to global commerce. However, those data flows must ensure the security and privacy of sensitive personal information.

The European Union and United States have agreed upon a new Data Privacy Framework (DPF) for balancing those objectives. The EU–U.S. DPF is designed to facilitate the transfer of personal data on EU citizens to the U.S. while ensuring that companies handle data according to certain core privacy principles.

The EU has far stricter privacy laws than the U.S., which has not passed meaningful privacy legislation at the federal level. The EU–U.S. DPF benefits organizations and individuals on both sides of the Atlantic by eliminating uncertainty surrounding cross-border data transfers. It is particularly valuable for multinational companies that operate on both continents.

EU Data Privacy Requirements (GDPR)

The EU’s General Data Protection Regulation (GDPR) controls how organizations can use, process, and share the personal data of EU citizens. To comply, organizations must implement appropriate technologies and procedures to ensure data privacy and security. The GDPR also requires that organizations report a data breach to the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours.”

More significantly, the GDPR gives EU citizens broad rights regarding the collection and use of their data. Before using an individual’s data, organizations must obtain consent expressed by “a statement or clear affirmative action.” Individuals have the right to request the deletion of their data and the right to correct any inaccuracies. Organizations must also provide individuals with their personal data upon request for transfer to another organization.

Article 45 of the GDPR gives the European Commission the power to make an “adequacy decision” regarding transfers of personal data outside the EU. The country to which data will be transferred must provide a level of protection comparable to that provided within the EU. Once an adequacy decision is made, personal data may be transferred to that country without additional safeguards.

Concerns Over U.S. Intelligence Activities

On July 10, 2023, the European Commission adopted an adequacy decision regarding the EU–U.S. DPF. U.S. organizations participating in the DPF will be deemed to provide adequate protection for personal data transferred from the EU and European Economic Area. The DPF supersedes the EU–U.S. Privacy Shield, which is no longer a valid mechanism for complying with EU data protection requirements.

The Court of Justice of the EU (CJEU) invalidated the adequacy decision for the Privacy Shield in 2020 due to concerns regarding U.S. “signals intelligence” — the monitoring of communications and electronic signals used by foreign targets. The U.S. and EU negotiated and collaborated for years to develop an acceptable privacy framework.

In October 2022, President Biden issued Executive Order (EO) 14086 outlining the privacy principles that must undergird signals intelligence. While signals intelligence is important to national security, the EO notes that “all persons have legitimate privacy interests in the handling of their personal information.” Thus, the EO lists a limited set of objectives for signals intelligence as well as prohibited objectives, such as restricting privacy interests. The EO also establishes a redress mechanism for reviewing complaints about U.S. signals intelligence activities.

Participating in the DPF Program

Most organizations that participated in the Privacy Shield will find that the DPF is similar. In fact, organizations that were registered under the Privacy Shield were automatically transferred to the DPF program. However, organizations must update their privacy policies to indicate their commitment to the DPF. This requires more than just changing the program name. Privacy policies should reflect the DPF Principles following sample language provided by the U.S. Department of Commerce.

Organizations that wish to join the program should visit the DPF website launched by the Commerce Department’s International Trade Administration on July 17, 2023. The site provides instructions on how U.S. companies can self-certify their compliance with the DPF Principles. Upon approval by the Commerce Department, the organization will be added to the list of DPF participants.

The DPS covers the European Economic Area (EEA), which does not include Switzerland. Thus, Switzerland has developed its own privacy principles. Organizations that are self-certified for compliance with the Swiss–U.S. Privacy Shield must demonstrate compliance with the Swiss–U.S. DPF Principles. The Swiss framework defines sensitive data somewhat differently than the EU–U.S. framework. Additionally, it falls under the authority of the Swiss Federal Data Protection and Information Commissioner.

With Brexit, the U.K. withdrew from the EU and developed its own privacy rules. The U.S. and U.K. have established a “data bridge,” which went into effect on October 12, 2023. The U.K.–U.S. Data Bridge allows for the transfer of data to organizations that have self-certified under the DPF.

Aggressive Enforcement Expected

The DPF Principles can be enforced under U.S. law. The Federal Trade Commission and other regulatory agencies are expected to enforce the DPF aggressively to demonstrate its effectiveness to the EU. Organizations should ensure that their policies follow the DPF Principles to reduce the risk of an investigation and potential fines. The FTC will also likely investigate organizations that claim participation in the DPF but were never certified or did not maintain certification.

The Commerce Department estimates that data transfers between the EU and U.S. facilitate more than $1 trillion in trade and investment annually. The DPF enables organizations of all sizes and in every industry to benefit from this economic relationship by streamlining data transfers while meeting EU privacy requirements.

Learn More About New Developments in Law

Stay up to date on the most current legal developments in California and the rest of the nation with Purdue Global Law School.

Purdue Global Law School offers an online Juris Doctor if you wish to become an attorney licensed in California. If you wish to advance your legal education but do not intend to become a practicing attorney, you may consider an online Executive Juris Doctor.

Single law courses are also available to help you explore a particular area of law without committing to a full degree program. Request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.