09 Sep 2024

First review of the EU-US Data Privacy Framework

Executive summary 

We welcome the first periodic review by the European Commission and European data protection authorities (DPAs) to ensure the Data Privacy Framework’s (DPF) functioning. 

EU-US bilateral trade has reached over €1.6 trillion in 2023, as the US continues to be the EU’s largest trading and geopolitical partner. For the digital and digitalising industry in Europe, a strong DPF, additionally to standard contractual clauses (SCCs) and binding corporate rules (BCRs), can stabilise bilateral trade and economic collaboration whilst protecting Europeans personal data. 

  • Implementing the DPF since July 2023

Today, over twenty DIGITALEUROPE members are certified under the DPF as active participants in the framework. Certified companies and their trading partners can thus benefit from increased trust and reliability for data flows, whilst removing some of the burden for companies to assess third-country laws and practices. 

The DPF also improved the efficiency of SCCs, for which some DPAs had required additional transfer impact assessments, at costly legal advice. This is particularly the case when SCCs need to be regularly updated. Additionally, there are currently dozens of sets of SCCs across the globe that have not been mutually recognised. 

We welcome the European Data Protection Board’s (EDPB) confirmation that transfers based on the adequacy decision do not need to rely on Art. 46 GDPR transfer tools. Indeed, once one of the Art. 46 GDPR transfer tools is implemented, additional assessments or supplementary measures should not be required. Safeguards put into place by the US government in the area of national security apply to all personal data transfers to companies in the US. 

We therefore recommend continued exchanges on data flows with the US, as the EU’s largest trade and investment partner holding shared democratic values.

  • New safeguards under the framework

The DPF’s consistency with the Schrems II findings was thoroughly analysed in an independent legal analysis issued by Linklaters in February 2023, commissioned by DIGITALEUROPE and BusinessEurope. The analysis focused on the choice of an Executive Order as a legal instrument in light of the legality principle, the principles of proportionality and necessity applied to the restriction of the fundamental rights to privacy and personal data protection in the context of signals intelligence activities, and the new redress mechanism available to EU individuals. 

Significant steps have been taken by the US to protect individuals’ fundamental right to data protection. New safeguards in place under Executive Order 14086, with the Attorney General Regulation establishing a Data Protection Review Court, aim to respond to concerns raised by the Court of Justice of the European Union in the Schrems II case. 

With the DPF’s implementation – and now that the e-Evidence Regulation has been adopted – we encourage progress in negotiations of the EU-US Cloud Act agreement. The Cloud Act’s remit is limited to electronic evidence in the context of criminal investigations, which most often will be personal data. In this context, it is estimated that over half of all investigations in the EU include a request for data stored abroad, in large part addressed to the US.

The DPF, alongside other mechanisms such as SCCs and BCRs, gives companies sufficient balance to rely on steady data flows. The DPF may also have a positive influence on developing agreements with other third countries. 

For more information, please contact:
Béatrice Ericson
Manager for Data Economy & Privacy
Alberto Di Felice
Policy and Legal Counsel
Back to Artificial Intelligence & Data
View the complete Policy Paper
PDF
Our resources on Artificial Intelligence & Data
19 Jun 2024 Publication & Brochure
The EU's Critical Tech Gap: Rethinking economic security to put Europe back on the map
09 Feb 2024 resource
The GDPR six years in: from harmonisation to alignment
15 Jan 2024 resource
DIGITALEUROPE’s response to the public consultation on a reporting scheme for data centres in the EU
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept