The new European Union-U.S. Data Privacy Framework has re-established clear data sharing rules between the two entities, giving companies that handle EU personal data legal peace of mind.
The data privacy framework is a mechanism for companies, such as social media platforms, that transfer personal data between data centers in the U.S. and EU. While the EU has GDPR protecting its citizens' right to data privacy, the U.S. has no such law, making a compliance framework for data sharing necessary. President Joe Biden implemented the new data privacy framework through an executive order in October.
The U.S. spent two years crafting the new data privacy framework after the EU's Court of Justice struck down the prior data sharing framework, the EU-U.S. Privacy Shield, which was enacted in 2016. The privacy shield was invalidated following the Schrems II court ruling that found fault in how the U.S. government was accessing and using EU personal data.
But without a national framework, companies were also left in limbo and risked facing noncompliance with the EU's GDPR.
"There are multiple legal mechanisms for transferring personal data from the EU to the U.S, but privacy shield was the most achievable of those mechanisms and provided the broadest coverage for different types of data transfers," said Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals in Washington, D.C. "Not having that adequacy agreement in place definitely impacted businesses' ability to have compliant data transfers to the U.S."
Many U.S. companies rely on multiple data transfer mechanisms, including standard contractual clauses between companies, to meet GDPR requirements, which Zweifel-Keegan said became more common following invalidation of privacy shield.
Still, contractual clauses don't address all data transfers that fall within GDPR's scope, such as directly collecting information from data subjects in the EU and transferring that data to the U.S. -- a type of transfer that was covered under the privacy shield agreement.
Some companies reduced the type of data transfers and the quantity of data taken from the EU. Others separated EU and U.S. business operations by creating local data centers in the EU, which in turn created data silos, Zweifel-Keegan said.
"They've tried everything they can to comply with the requirements that are in place, but it's been a very uncertain legal regime for the past couple of years," he said.
Although the U.S. awaits confirmation that its data transfer commitments are adequate, U.S. companies can already rely on the new data privacy framework, Zweifel-Keegan said.
Most of the changes in the framework focused on altering U.S. intelligence agencies' access to and handling of EU data, which was the basis for invalidating privacy shield. Due to the U.S. commitments outlined in the executive order, such as mandates for handling personal data and a redress mechanism for EU citizens should they feel their data was illegally collected, Zweifel-Keegan said the government addressed concerns raised by the Shrems II decision.
Zweifel-Keegan said it will be a "relatively easy lift" for companies certified under privacy shield to modify their data sharing practices and become certified under the new framework, which outlines similar data sharing practices.
The U.S. Department of Commerce has indicated there will be adjustments to the commercial data sharing requirements in the new framework down the road, but they have yet to be announced. Those changes will likely be "ministerial," Zweifel-Keegan said.
If companies do face costs when implementing the new framework, they'll need to consider whether those costs outweigh the risks they faced previously by not having the right legal data transfer mechanism in place, said Cristobal Cheyre, assistant professor in Cornell University's information science department.
In the two years since privacy shield was invalidated, Cheyre said companies like Meta and Google have faced multiple lawsuits over the transfer of data between the U.S. and EU. The new data privacy framework brings back clear directions for companies to legally transfer data, he said.
"The cost of implementing these measures may be small compared to being faced with not being able to use the data or having to defend yourself from these lawsuits," Cheyre said. "That's the tradeoff companies have to take into account."
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.
Companies rely on the cloud for modern app development. Learn the key features that differentiate cloud computing from ...
To grasp a technology, it's best to start with the basics. Take this brief cloud computing quiz to gauge your knowledge of ...
AWS Batch enables developers to run thousands of batches within AWS. Follow this tutorial to set up this service, create your own...
Jamf executives at JNUC 2022 share their vision of the future with simplified BYOD enrollment and the role iPhones have in the ...
Jamf will pay an undisclosed sum for ZecOps, which logs activity on iOS devices to find potential attacks. The companies expect ...
Apple shifted its attention to premium smartphones in the latest iPhone 14 lineup with features such as Lockdown Mode that IT ...
HPE added another software and service option with the new ProLiant servers featuring GreenLake, improved security software and ...
Authors Harry Lewis and Ken Ledeen discuss ethical issues organizations should consider when expanding data center, data ...
Data center network optimization can improve business impact and promote long-term equipment health. Look to pilot new equipment,...
All Rights Reserved, Copyright 2007 - 2022, TechTarget Privacy Policy Cookie Preferences Do Not Sell My Personal Info