Skip navigation

Commission adopted EU-US Data Privacy Framework: emphasizing the importance of redundancy and alternative GDPR solutions

SCOPE EuropeNews

On July 10, the EU-US Data Privacy Framework's adequacy decision was adopted concluding that the US ensures an adequate level of protection comparable to the EU, for data transfers from the EU to participating US companies. This comes after extensive deliberations between the US and the European Commission to establish commitments and a method for secure and reliable data transfers.

Similar to other compliance tools, companies will have to adhere to the Data Privacy Framework, thus complying with specific minimum data protection standards. The Data Privacy Framework's adoption is also supported by the US Executive Order 14086, which serves as the foundation for enhancing the protection of EU citizens' data when processed by US authorities. This order solidifies the commitment of the US to reinforce data protection measures, paving the way for the acceptance of the Data Privacy Framework.

EU-US data transfers has been a contentious topic of discussion for the last couple of years. Considering that the two predecessors of the Data Privacy Framework, namely, the Safe Harbor framework and the EU/US Privacy Shield were invalidated by the CJEU, it leads us to question whether this framework offers adequate safeguards that would prevent future challenges in the court.

The Privacy Shield was deemed invalid because it did not sufficiently address the extensive investigation rights and practices of the US authorities, lacked oversight and redress mechanisms, and failed to provide adequate protection for the personal data of EU citizens. The Data Privacy Framework seeks to address these legal gaps identified by the CJEU. While the adoption of the Data Privacy Framework is a positive step forward backed by additional commitments from the US through the US Executive Order 14086, it remains to be seen if it will pass the judicial test of the CJEU. Over the past week some experts have predicted that the framework may face scrutiny in court, similar to its predecessors.

However, irrespective of a potential court case, it is evident that having an effective solution for secure data transfers is of utmost importance. Diversifying the available tools and ensuring redundancy is crucial in order to prevent reliance on a single tool becoming invalid, whether it is for data transfers between major markets like the EU and the US or involving other third countries. 

Against this background, it is crucial to emphasize the importance of making other solutions available under Chapter V GDPR such as Codes of Conduct, Standard Contractual Clauses and Binding Corporate Rules for companies to rely on. In this spirit, the EU Cloud Code of Conduct has been continuously working to put another option on the market, addressing transfers to third countries. In the coming months for the first time the on-top EU Cloud Code of Conduct module will be available for review. Learn more about the Third Country Transfers initiative: https://eucoc.cloud/en/about/third-country-transfer-initiative

EU-US_data_transfers_adoption.png