Shirt a Phobia

Sample Page

The EU–US Data Privacy Framework is a European Union–United States data transfer framework established under the General Data Protection Regulation (GDPR), agreed to in 2022,[1][2] declared adequate by the European Commission in 2023,[3] and extended to the European Economic Area (EEA) in 2024.[4][5]

Previous such regimes—the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015)—were declared invalid by the European Court of Justice in part due to concerns that personal data leaving EU borders is subject to sweeping US government surveillance. After the invalidation of the EU–US Privacy Shield in July 2020, companies wishing to transfer data between the EU and the US had “faced confusion, higher compliance costs, and challenges for EU–US business relationships”.[6] The EU-US Data Privacy Framework (DPF) is intended to address these concerns.[7][8][6]

The European Parliament raised substantial doubts whether the new agreement reached by Ursula von der Leyen actually conforms with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and fails to enforce basic human digital rights in the EU.[9] Under the Trump administrations doubts have arisen as to the future of the Framework.[10]

US Data Protection Review Court

The Data Protection Review Court (DPRC) is a three-adjudicator panel that deals with appeals made against decisions of the Civil Liberties Protection Officer of the Office of the Director of National Intelligence as described by the EU-US Privacy Framework.[11] It is not an Article III court but an extrajudicial executive branch tribunal.[12]

Members of the DPRC are appointed by the Privacy and Civil Liberties Oversight Board (PCLOB) to four-year terms.

The decisions made by the DPRC have binding effect for the adjudication.[13][14] There has been criticism on its secrecy and possible effectiveness.[15]

CH–US Data Privacy Framework

Similarly to the EEA, EFTA member Switzerland and the US also have a Swiss–US Data Privacy Framework under its Federal Act on Data Protection [de] (DSG) since September 2024.[16]

History

On 25 March 2022, it was announced that the European Commission and the United States had committed to a “Trans-Atlantic Data Privacy Framework” in reaction to the failure of the EU-US Privacy Shield.[1][17]

On 7 October 2022, US President Joe Biden signed Executive Order 14086 to implement the framework, including authorizing and directing the creation of the US Data Protection Review Court.[11][7] United States Attorney General‘s order 5517-2022 of 7 October 2022 established the court.[18]

In May 2023, the European Data Protection Board approved the Commission’s adequacy decision draft that was published on December 13, 2022.[19]

Although not binding on the European Commission, on 11 May 2023 the European Parliament voted in favour of a resolution calling on the Commission to renegotiate the Framework[20] and not to adopt an adequacy finding on the basis that “the EU–US Data Privacy Framework fails to create essential equivalence in the level of protection”.[21]

The European Parliament raised substantial doubts whether the new agreement reached by Ursula von der Leyen actually conforms with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and fails to enforce basic human digital rights in the EU.[9] In May 2023, a resolution on this matter passed the European Parliament with 306 votes in favor and 27 against.[22]

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, thereby allowing transfer of personal data from the EU to the US on the basis of Article 45 of the GDPR.[3]

In July 2023, the NGO NOYB (European Center for Digital Rights) has announced that it will challenge the framework again before the European Court of Justice.[12]

Effective 6 July 2024, the EEA Joint Committee incorporated the Commission Implementing Decision into the EEA Agreement, extending it to the European Economic Area (EEA).[4][5]

On 14 August 2024, the Swiss Federal Council issued an adequacy decision for the Swiss–US Data Privacy Framework under its Federal Act on Data Protection [de] (DSG).[16]

In January 2025, Trump fired Democrat members of the Data Protection Review Court, leaving the five-person board with only one Republican member, short of three required to make any decisions.[10]

See also

References

  1. ^ a b McCabe, David; Stevis-Gridneff, Matina (25 March 2022). “U.S. and European leaders reach deal on trans-Atlantic data privacy”. The New York Times. Retrieved 28 March 2022.
  2. ^ “Biden Executive Order Supports New EU-U.S. Data Privacy Framework for Trans-Atlantic Transfers of Data”. The National Law Review. Retrieved 1 November 2022.
  3. ^ a b “Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows”. European Commission – European Commission. 10 July 2023. Retrieved 5 March 2024.
  4. ^ a b “Decision of the EEA Joint Committee No 169/2024 of 5 July 2024 amending Annex XI (Electronic communication, audiovisual services and information society) to the EEA Agreement [2024/2568]”. EUR-Lex. Publications Office of the European Union. 17 October 2024. Retrieved 28 March 2026.
  5. ^ a b “Factsheet – 32023D1795”. EEA-Lex. EFTA Secretariat. Retrieved 28 March 2026.
  6. ^ a b “Legal Questions Loom Over Latest Trans-Atlantic Data Flows Deal”. news.bloomberglaw.com. Retrieved 1 November 2022.
  7. ^ a b Shepardson, David; Blenkinsop, Philip (8 October 2022). “Biden signs order to implement EU-U.S. data privacy framework”. Reuters. Retrieved 1 November 2022.
  8. ^ “US expected to publish Privacy Shield executive order next week”. Politico. 27 September 2022. Retrieved 1 November 2022.
  9. ^ a b “Texts adopted – Adequacy of the protection afforded by the EU-U.S. Data Privacy Framework – Thursday, 11 May 2023”. www.europarl.europa.eu. Retrieved 30 May 2024.
  10. ^ a b “Deafening Commission silence with no credible EU-US data oversight left”. Euractiv. 28 February 2025. Retrieved 1 March 2025.
  11. ^ a b Biden, Joe (14 October 2022). “Executive Order 14086 Enhancing Safeguards for United States Signals Intelligence Activities”. Federal Register. Retrieved 11 March 2024.
  12. ^ a b “European Commission gives EU-US data transfers third round at CJEU”. noyb.eu. Retrieved 30 May 2024.
  13. ^ 28 C.F.R. §201.9(g)
  14. ^ “Press corner”. European Commission – European Commission. Retrieved 30 January 2023.
  15. ^ Masnick, Mike. “We Shouldn’t Allow A New Super Secret Surveillance Court Cover Up The Civil Liberties Problems Of The Old Super Secret Surveillance Court”. Techdirt. Archived from the original on 2 February 2024. Retrieved 2 February 2024.
  16. ^ a b “Swiss-US Data Privacy Framework: Certified US companies offer adequate protection for personal data”. admin.ch [de] (Press release). Federal Council. 14 August 2024.
  17. ^ “FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework”. The White House. 25 March 2022. Retrieved 5 March 2024.
  18. ^ Garland, Merrick B. (14 October 2022). “Data Protection Review Court”. Federal Register. Retrieved 4 February 2026.
  19. ^ “Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU–US Data Privacy Framework”. European Data Protection Board. 28 February 2023. Retrieved 1 March 2023.
  20. ^ Silver, Andrew (12 May 2023). “Parliament calls on Commission not to adopt EU-US data deal”. Research Professional News. Retrieved 14 August 2023.
  21. ^ “Texts adopted – Adequacy of the protection afforded by the EU-U.S. Data Privacy Framework”. European Parliament. 11 May 2023. Retrieved 16 June 2023.
  22. ^ “Procedure File: 2023/2501(RSP) | Legislative Observatory | European Parliament”. oeil.secure.europarl.europa.eu. Retrieved 30 May 2024.