New EU-U.S. Data Privacy Framework... but for how long?

Yesterday, the European Commission adopted an adequacy decision regarding the EU-U.S. Data Privacy Framework.

This important milestone states that personal data can now flow freely from the European Economic Area (EEA) to the United States, without further conditions, and replaces the EU-U.S. Privacy Shield, invalidated in July 202 by the Court of Justice of the European Union (CJEU).

The news comes on the tail of the U.S. Secretary of Commerce Gina Raimondo sharing last week that the Framework requirements had been completed from the U.S. side.

“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.

Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”

- Ursula von der Leyen, European Commission President (Source: European Commssion)

However, the privacy advocacy organization noyb, led by Austrian lawyer and privacy activist Max Shrems, which was at the origins of dismantling previous attempts at a trans-Atlantic framework, has already declared that it will appeal this latest effort, explaining that fundamental issues of the previous attempts had not been fixed:

"They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like 'Privacy Shield' the latest deal is not based on material changes, but by political interests. Once again the current Commission seems to think that the mess will be the next Commission's problem." (...)

"We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the once from the past 23 years. Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work - and we simply don't have it."

- Max Schrems, founder of noyb – European Center for Digital Rights (source: noyb)

How long will this new framework hold? In an article published by Didomi last year, we learned Kirk Nahra, a privacy attorney at the law firm WilmerHale., declared that he expected the new program to, at best, “buy about five years of stability.” In the case of the Privacy Shield, the timeline spanned four years from adopting the framework (July 12, 2016) to the time the CJEU declared it invalid (July 16, 2020).

To dive deeper into the topic of data privacy in the United States and better understand why Max Schrems and noyb are challenging this new framework, check out the recent, thought-provoking opinion on the topic piece published on our blog:

Summary

Japan and U.S. forge partnership on data privacy and AI tech policy │Yes We Trust

European Data Protection Authorities push for stringent regulations on ad tech sector │ Yes We Trust

MEPs are concerned about the proposed EU-US data transfer agreement | Yes We Trust

ChatGPT: European data regulators are setting up a working group | Yes We Trust

TikTok challenges €345M EU fine and resists privacy regulations │Yes We Trust

U.S. Congress more determined than ever to ban TikTok | Yes We Trust

Publications