EU approves US approach to safeguard transatlantic data flows

The European Union unveiled its decision to implement the joint EU-US Data Privacy Framework Monday, representing a major step in transatlantic data protection for digital information flows, absent federal regulation in the U.S.

Data privacy laws in the EU are notably more stringent than in the U.S., and recent major legal decisions finding that European citizen data transfers handled by U.S. tech companies did offer a sufficient level of protection concurrent with EU data privacy law.

The EU announcement signals that following an analysis conducted by the European Commission, it determined that existing U.S. data privacy governance –– specifically a 2022 executive order restricting U.S. government surveillance practices and an accompanying Department of Justice redress mechanism––are safe enough to support EU citizen data transfers.

The framework and decision both place major responsibility on the U.S. government to protect EU citizens’ personal data. 

U.S. companies will be eligible to join the EU-U.S. Data Privacy Framework by committing to comply with privacy obligations, including the deletion of personal data when no longer necessary for its initial purpose. 

“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” said Ursula von der Leyen, the President of the EU. “Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the U.S., and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”

The decision to implement the framework touts the independent redress group, the Data Protection Review Court, formed by President Joe Biden in response to EU regulators’ needs for stronger protections for European data. 

“Today’s announcement represents the culmination of years of close cooperation between the United States and the European Union, and affirms the strength of our transatlantic relationship founded on our shared democratic values and vision for the world,” Biden said in a statement released Monday. “The decision reflects our joint commitment to strong data privacy protections and will create greater economic opportunities for our countries and companies on both sides of the Atlantic.”

U.S.-based firms can expect more clarity after years of uncertainty in this decision, according to Caitlin Fennessy, vice president of the International Association of Privacy Professionals. Fennessy told Nextgov/FCW that U.S. businesses have clearer guardrails for doing business in the EU.

“What it means for technology companies, and a really broad array of companies, is that there is a lot more certainty and a lot more assurance that they can partner with EU companies, that they can do business in the EU without running afoul of EU Data transfer rules,” Fennessy said.

With the adequacy assessment approved, U.S. companies will not need to conduct transfer impact assessments, which gauge the level of security the U.S. government places on international data transfers. 

Companies working within the joint Data Privacy Framework will commit to security procedures that act as a solution for impact mechanisms and assessments. 

“​​Going forward, I would expect a whole number of companies, likely thousands, to join, self-certify to the new data privacy framework and use that as their transfer mechanism rather than something like standard contractual clauses,” Fennessy said.

Stricter data privacy compliance is lacking in domestic U.S. law. Fennessy noted that these international accords heighten the importance of privacy protections in general, but that while these accords prompt change in government conduct, data privacy regulation within the private sector will come with legislation. 

“There will continue to be concerns about the seriousness with which the U.S. takes privacy issues,” she said. “I think at this stage the U.S., among its democratic allies, is one of the only countries without a comprehensive federal privacy law. So I expect continued pressure and interest in moving on forward.”