First there was Safe Harbor, then there was Privacy Shield, both of which were struck down, leaving an enormous chasm in the rules for sharing data between the EU and the US. Now, explains, Andre Bywater, Partner, Cordery, there is a bridge: the EU-US Data Privacy Framework.
The new framework seeks to address the issue that led to the court striking down Privacy Shield: access to data by US intelligence agencies. To allay European concerns the US has now put in place a two-level system to redress grievances. EU citizens can lodge a complaint with the Civil Liberties Protection Office. If not satisfied with the results there, they can escalate to the US Data Protection Court, which has the power to issue orders to have data deleted.
The new framework is likely to be a big step forward, but it’s not the only one data processors will have to take. Organizations will first need to determine if they are eligible to participate. Next, they will need to self-certify their processes for handling EU data, a process that will be overseen by the US Department of Commerce, with enforcement handled by the FTC.
Whether self-certifying for the first time or recertifying, there are countless details to be watched. There are special provisions, for example, when it comes to HR data.
And, of course, there is a question of whether courts in Europe will allow the new regime to stand. There is already speculation that a new case may be brought in January 2024.
For now, though, there is a new EU-US Data Privacy Framework in place. Listen in to learn more about what your organization needs to do to comply.