EU-US data privacy framework

The EU and US are tightly connected, with many companies from the US operating in the EU and vice versa. Therefore, the two economic regions had to create a shared data privacy framework and set boundaries protecting both sides.

One of the first such frameworks was Safe Harbor – a set of principles developed between 1998 and 2000 for companies in the US and the EU to safely process private data and avoid possible leaks or data losses.

However, in 2015, the Court of Justice of the European Union (CJEU) decided that US companies couldn’t provide an adequate level of security for the personal data of EU citizens. As a result of the CJEU ruling, Safe Harbor was killed off.

Read more about Safe Harbor and the Schrems I ruling.

Safe Harbor was replaced by the Privacy Shield – a new framework created in 2016. It was intended to address the concerns of the CJEU and provide a more robust framework for transatlantic data transfers.

The Privacy Shield put the responsibility on companies. The US businesses had to undergo a self-certification process and agree to the EU data protection standards.

However, the Privacy Shield only existed for a short time. In 2020, the European Court of Justice issued a ruling in case C-311/18, also known as the Schrems II ruling. The case started when activist Maximilian Schrems asked the Irish Data Protection Commissioner to cancel the SCC that Facebook used to move personal data to its headquarters in the US. Schrems believed that US intelligence agencies could access the personal data while it was being sent to or stored in the US. Schrems argued this violated GDPR and other EU regulations.

The CJEU ruled that the Privacy Shield also failed to provide enough protection for personal information under the GDPR because the US government could watch over the data belonging to EU residents. In the end, the Privacy Shield was invalidated.

On July 10, 2023, the European Commission announced a new EU-US agreement called the Data Privacy Framework (DPF). This agreement was supposed to be an improved version of the Privacy Shield, designed to fix problems highlighted in the Schrems II case.
Before implementing the DPF, the European Data Protection Board (EDPB) and the European Parliament (EP) raised some concerns about whether it safeguarded privacy enough.

These worries are shared by activists, like Max Schrems, whose team is already preparing legal action related to the DPF.

You may also like:
Data privacy laws in the United States and how they affect your business
11 new privacy laws around the world and how they’ll affect your analytics
Data privacy breach
AI and privacy