The ECDC reviews the EU-US Privacy Framework

The Data Privacy Framework between the European Union (EU) and the United States (US) has become one of the most relevant issues on the international data protection agenda.

This framework, designed to facilitate the secure transfer of personal data between the EU and the US, has undergone its first review by the European Data Protection Board(EDPC), the body responsible for overseeing and ensuring the protection of European citizens’ data. This review aims to assess the effectiveness of the framework, identify possible improvements and ensure that European data protection standards are met.

Why is the EU-US Privacy Framework Important?

Since the General Data Protection Regulation(GDPR) came into force in 2018, the EU has strengthened its position as a leader in protecting privacy and personal data globally. The transfer of data between the EU and the U.S., an essential practice for global businesses and digital services, has historically been complex due to significant differences between the two territories’ approaches to privacy and personal data protection.

After the predecessor agreement, Privacy Shield, was invalidated in 2020 by the Court of Justice of the European Union(CJEU), the EU-US Data Privacy Framework was introduced as a new solution in 2023, following several rounds of negotiations.

The implementation of this framework seeks to ensure that U.S. companies comply with European data protection standards and that U.S. authorities respect data protection rules when accessing the personal information of European citizens.

CEPD Review Objectives

The review carried out by CEPD focuses on analyzing whether the current framework:

1-. Cumple con el nivel adecuado de protección de datos personales para los ciudadanos de la UE, tal como lo establece el RGPD.

2-. Respeta los derechos de privacidad de los individuos en relación con el acceso a sus datos por parte de entidades gubernamentales estadounidenses.

3-. Identifica áreas de mejora o ajustes necesarios para adaptar el marco a los desafíos actuales y futuros en el ámbito de la transferencia de datos.

The ECDC has examined the scope and effectiveness of the safeguards introduced in the framework to protect the personal data of European citizens from access by U.S. law enforcement agencies, in particular, whether the limiting safeguards and oversight measures implemented by the U.S. are sufficiently robust and in line with the standards set out in the GDPR.

Main Findings of the Review

So far, CEPD has made some key points in its Opinion:

Progress in Data Protection:

The framework shows significant progress in terms of data protection, especially in comparison with previous agreements such as the Privacy Shield, since the United States has implemented the necessary requirements for the certification of companies in relation to the level of adequacy in terms of data protection, having to publish their Privacy Policies, as well as their commitment to compliance with the new regulatory framework, with 2,800 companies already certified to date, most of which are SMEs in the ICT sector.

Likewise, new data protection laws have been approved in different states of the American Union, as of July 2024, such as California, Colorado, Oregon, Virginia, Connecticut, Utah, Montana, Texas and Florida. At this point, CEPD’s recommendation would be the approval of a federal data protection law, rather than the existence of only state laws, in order to obtain greater enforcement and stability of the data protection framework.

Redress Mechanisms for European Citizens:

One of the EU’s biggest concerns has always been to ensure that European citizens have a way to defend their rights in the event of privacy violations by U.S. companies or government entities, and this is addressed by the framework including the possibility to file complaints and obtain redress, although some experts believe that more details are needed on the accessibility of these mechanisms and their actual effectiveness.

Of particular note is the creation of aData Protection Review Court that allows EU citizens to request reviews in case they believe their data was misused by intelligence agencies.

Transparency and Oversight in the U.S.:

Additional controls have been implemented in the U.S. to monitor data collection practices to ensure that they are proportionate and justified, as well as in accordance with Commission Implementing Decision (EU) 2023/1795 of July 10, 2023, however, the ECDC expresses the need to continue to closely monitor these practices and to seek improvements in transparency mechanisms to strengthen the confidence of European citizens in the system.

Recommendations Proposed by CEPD

The ECDC has suggested a series of recommendations to improve the EU-US data privacy framework and address some of the critical areas identified during the review, including:

Strengthen Data Access Safeguards:

Although the U.S. has taken steps toward greater control over access to personal data by government agencies, ECDC suggests that safeguards must be further strengthened to prevent misuse and better protect the privacy of European citizens.

Improve Access and Remediation Mechanisms:

It is essential that EU citizens have clear and effective access to redress mechanisms and therefore the ECDC recommends that these mechanisms be simplified and adjusted to make them more accessible and effective, with the need to implement awareness-raising activities for citizens by certified companies and by the authorities regarding these defense mechanisms.

Conduct Periodic Reviews:

The CEPD stresses the importance of conducting periodic reviews of this framework to ensure that it continues to meet European standards and to adjust to technological and regulatory changes that may arise in the future. CEPD has proposed that the next review of the Data Privacy Framework should take place in 3 years, at the latest, and not in a period of 4 years as initially determined, since there are still many crucial issues to be monitored, and 3 years is sufficient time to be able to analyze progress on these issues.

Challenges and the Future of the Privacy Framework

The relationship around data protection between the EU and US has historically been complex, while the EU-US Data Privacy Framework represents progress over previous agreements, there are still challenges to overcome. Differences in legislation and perceptions of privacy and data protection between the two sides pose a continuing challenge to implementing a framework that fully meets EU expectations and requirements.

The ECDC will continue to closely monitor the development of the framework and, in future revisions, new factors such as artificial intelligence, increased cyber-attacks and changing privacy regulations on both continents are likely to be taken into account.