On July 10th, the EU Commission adopted an adequacy decision for the proposed EU-U.S. Data Privacy Framework. This is exciting news for organizations, as many have been stuck in privacy "limbo" since the annulment of the previous EU-U.S. Data transfer mechanism, Privacy Shield, which was annulled due to challenges in court by privacy activist Max Schrems.
The Privacy Shield mechanism was struck down by EU courts due to not having enough protections for EU residents against United States surveillance laws and executive orders, namely FISA 702, Executive Order 12333, and the CLOUD Act.
The new framework seeks to address those issues to ensure that EU resident data is protected and that citizens have appropriate legal mechanisms to address any non-compliance with the safeguards required by the new framework.
So what are the key takeaways for the new framework?
- Organizations now have a legal mechanism to transfer data from the EU to the U.S. without requirements to get a patchwork of data transfer mechanisms in place, namely Standard Contractual Clauses and Binding Corporate Rules, which can be burdensome for organizations to manage at scale. Organizations will be able to self-certify to the new mechanism, and the approved certification will be considered an attestation to compliance with the data protection requirements of the EU Commission.
- The United States government established a new executive order that provides protections for EU resident data that is being transferred to the United States. These include limited access to EU data by U.S. intelligence agencies, the implementation of a new redress mechanism, and the establishment of the Data Protection Review Court. Establishing these key protections was crucial to bringing the new EU-US Data Privacy Framework to fruition.
- The new Framework is based on a set of core data protection principles; such as transparency of data processing, the right to data access, and purpose limitation. These are not new to the privacy community; however, organizations will need to ensure that their privacy programs include these principles and are complied with accordingly.
The question still remains: will the new framework usher in a new era of data protection and continued flows of data from the EU to the U.S., or will it be another mechanism that is challenged in court and struck down in a few years’ time? In our opinion, no mechanism comes without its faults; however, this is a great step up from the previous iterations and provides significantly more protections for EU resident data processed in the United States.
At KnowBe4, we are committed to privacy and security and will be committing to the new EU-U.S. Data Privacy Framework as soon as it becomes generally available for organizations to certify. We will continue to monitor its developments to ensure that we are up to date with any new requirements imposed by the EU Commission or other regulatory body.