Blog
Blog » NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
14 September 2023
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.
1. Background
Based on the adequacy decision that preceded the new EU-US Data Privacy Framework, the so-called Privacy Shield, adopted in 2016, US companies could register under the Privacy Shield and once they did so, the European Commission recognised that the US provided adequate protection for personal data transferred to such companies. This meant that no additional safeguards were needed for data transfers to such companies.
However, the CJEU, in the 2020 Schrems II judgment, invalidated the Privacy Shield stating that US laws did not provide adequate protection, in particular, due to the excessive rights of the national security organisations and lack of appropriate legal remedies.
In the absence of the adequacy decision, parties making such transfers should have applied a complex set of rules providing other additional safeguards, most commonly the standard data protection clauses adopted by the European Commission.
However, following the negotiations between EU and the US, the US passed a legislation aimed at addressing the problems identified in the Schrems II judgment.
2. EU – US Data Privacy Framework
After the above-mentioned legislation, the European Commission concluded that the US now ensures an adequate level of protection for personal data transferred from the EU to companies participating in the EU-US Data Privacy Framework.
The Commission has based its decision on the following.
The Framework, by adopting new set of rules and binding safeguards, limits access to EU data by US intelligence services to what is necessary and proportionate.
Moreover, the new Framework provides access for EU citizens to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC).
Based on the above, personal data can be transferred to US companies participating in the EU-US Data Privacy Framework without being subject to any further conditions or authorisations. Consequently, the transatlantic data transfers may be based on solely on the Framework, instead of the currently used standard contractual clauses.
3. Certification of the US companies
It is noted that to participate in the Framework, US companies, shall, of course, comply with Framework, and, similar to the previous Privacy Shield, make a certification application to be added to the “Data Privacy Framework List”.
Once the US organisation are placed in the above-mentioned List, it can receive personal data on the basis of the Framework.
Moreover, US companies, who are already registered in the previous Privacy Shield, can rely immediately on the Framework but they shall also take actions to comply with the new Framework until 10 October 2023, for instance, they need to update their privacy policies.
4. Summary
After the invalidation of the Privacy Shield, the situation for companies that transfer a personal data to the US has become more difficult, as companies should apply specific data protection clauses to each transfer to the US.
However, the recently adopted EU – US Data Privacy Framework remedied the problems identified in the Schrems II judgment, subsequently, according to the European Commission, the US now provides the effective legal protection as well as the right to an adequate judicial remedy for those whose personal data are made available to US national security organisations.
The adoption of Framework significantly makes it easier to transfer personal data from the EU to the US, as a certified US company can receive personal data from the EU solely based on the Framework instead of the currently used standard contractual clauses.
However, it is noted that US companies, can only use the Framework if they apply for certification and they are added to the Data Privacy Framework List.
Those US companies, who are already registered in the previous Privacy Shield, are in a better position as they can rely immediately on the Framework, but they shall also take actions to comply with the new Framework until 10 October 2023.
-
CJEU DECISION IN A GDPR-RELATED CASE: DOES THE VIOLATION OF THE GDPR AUTOMATICALLY CONSTITUTE NON-MATERIAL DAMAGE?
Does the infringement of the data subjects’ rights by the controller give automatically rise to compensation? Can the controller be exempted from liability solely on the basis that the damage was the result of the fact that its employee did not comply with its instructions? What are decisive criteria to determine the amount of damages? In this article we analyse the fresh decision of the CJEU which addressed the previous questions.
Read more » -
HUNGARY – PERSONAL SCOPE EXTENSION OF JURISDICTION CLAUSE TO NON-SIGNATORY UNDER BRUSSELS IBIS
Does the principle of independence of the choice-of-court agreement require that parties shall expressly transfer the dispute resolution clause in case of transfer of the main contract? When can the personal scope of a jurisdiction agreement be extended to a non-signatory? A Hungarian appellate court decided upon these questions under the Brussels Ibis Regulation in a recent judgment
Read more » -
SETTING ASIDE ARBITRAL AWARDS IN HUNGARY
Given that there is no right of appeal in arbitration proceedings, it is important to be aware of what other legal remedies are available to you against an arbitral award. According to the Hungarian Arbitration Act, the parties may request the competent state court to set aside the award, which is a “mandatory” remedy, which cannot be waived by the parties in advance.
Read more »