The European Union (E.U.) released a draft Data Privacy Framework (DPF) that outlines E.U.-U.S. data transfer and privacy policies, to go into effect in 2023. This draft was submitted to the European Data Protection Board and is subject to further approval before it can become finalized.
The draft deal document outlines the rules for "the transfer of personal data from controllers or processors in the Union to third countries and international organizations to the extent that such transfers fall within its scope of application".
The 'E.U.-U.S. Data Privacy Framework Principles" includes several key sections which detail what constitutes private and personal data, transfer limitations and restrictions, transparency rules, and data accuracy. Personal data is defined as "data about an identified or identifiable individual that are within the scope of the GDPR received by an organization in the United States from the E.U., and recorded in any form".
Why is this framework necessary, and what is its ultimate goal? A bit of backstory.
The E.U. has what is called the General Data Protection Regulation (GDPR) - a privacy legislation which went into effect in 2018 that establishes protections of personal data of individuals located in Europe. However, for countries outside of the E.U. where GDPR is not a law, the European Commission (EC) assesses on a country-by-country basis whether it meets the E.U.'s data protection laws in order for data to be transferred into said country. Where does the U.S. fit in this? The U.S. has never sought to be included in the list of countries with adequate data protection - therefore solely under the GDPR legislation data cannot be transferred from the E.U. into the U.S.
That would make it impossible for hundreds of U.S. companies and organizations to operate. This is where a program called the Privacy Shield comes into play whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information. Individual U.S. companies and organizations apply to be included in the Privacy Shield program and if their privacy policy is deemed safe enough, they are allowed to receive data from the E.U.
The Privacy Shield was the ruling framework for E.U.-U.S. data transfer until being invalidated by the Court of Justice of the European Union (CJEU) in 2020 due to "its inability to protect EEA data subject's personal information from the U.S. Government's surveillance powers. Those powers are derived from national surveillance laws". In order words, based on U.S.' national security laws the country can collect personal data under the premise that this ensures safety of the country. Google (NASDAQ: GOOGL), Meta (NASDAQ: META), and many others have been hit with warnings or penalties from the E.U. for illegal data transfer and violation of E.U. privacy rules.
Since being invalidated, the Biden Administration and EC have been working together to establish a new framework that will support cross-border data transfer between the E.U. and U.S. The result of these efforts is seen in the draft document of the Trans-Atlantic Data Privacy Framework. In order to be finalized the DPF must go through adoption procedures which include approval from a committee of E.U. Member States and the European Parliament.
The E.U.'s justice commissioner, Didier Reynolds, believes the DPF could be finalized before July 2023, subject to any legal challenge. In a letter accompanying the release of the DPF draft, Reynolds stated: "Today's draft decision is the outcome of more than one year of intense negotiations with the U.S. that I led together with my U.S. counterpart Secretary of Commerce Raimondo. Over the past months, we assessed the U.S. legal framework provided by the Executive Order as regards the protection of personal data. We are now confident to move to the next step of the adoption procedure. Our analysis has showed that strong safeguards are now in place in the U.S. to allow the safe transfers of personal data between the two sides of the Atlantic. The future Framework will help protect the citizens' privacy, while providing legal certainty for businesses. We now await for the feedback from the European Data Protection Board, Member States' experts and the European Parliament".
In an increasingly globalized and interconnected world this can only be seen as a step in the right direction. While the E.U. is ages ahead of the U.S. when it comes to data privacy, the DPF underscores it importance to the U.S. economy and will hopefully push the country towards adopting more stringent privacy laws.