Content Assessment: Bridging the Data Divide? EU and US Lock-in Landmark Privacy Agreement

Information - 93%
Insight - 92%
Relevance - 94%
Objectivity - 92%
Authority - 95%

93%

Excellent

A short percentage-based assessment of the qualitative benefit of the recent announcement by the European Commission of its adoption of a new adequacy decision for safe and trusted EU-US data flows.

Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

Contact us today to submit recommendations for consideration and inclusion in ComplexDiscovery’s data and legal discovery-centric service, product, or research announcements.


Background Note: The European Commission today formally adopted the EU-U.S. Data Privacy Framework, an agreement designed to ensure safe data flows from the European Union to the United States while offering robust protections for personal data. The Framework will significantly impact cybersecurity, information governance, and legal discovery professionals throughout the eDiscovery ecosystem.

Potential Importance to Cybersecurity, Information Governance, and Legal Discovery Professionals:

  • Cybersecurity: The Framework will bolster cybersecurity measures by limiting access to EU data for U.S. intelligence services to what is necessary and proportionate. For instance, this may prevent broad data sweeps, helping to reduce the risk of breaches and unauthorized access. It also necessitates the deletion of data found to be collected in violation of the Framework, providing an extra layer of cybersecurity that could prevent sensitive data from being misused.
  • Information Governance: The Framework dictates stringent data management guidelines, impacting information governance practices. It calls for the deletion of personal data when it is no longer necessary, potentially leading to a more secure and efficient data storage system. Also, when data is shared with third parties, continuity of protection must be ensured. This could result in stricter contracts and clearer data sharing protocols with partners, promoting transparency and accountability.
  • Legal Discovery: The establishment of the Data Protection Review Court (DPRC) provides a clear avenue for legal redress if data is mishandled, which will significantly influence the field of legal discovery. For example, if an EU citizen’s data is wrongly handled by a U.S. company, they can bring a case to the DPRC, ensuring fair proceedings and potential remedial measures. The DPRC thus becomes a vital tool for resolving transatlantic data disputes.

The Framework not only ensures safer transatlantic data flows but also mandates periodic reviews to ensure ongoing effectiveness. This critical advancement in EU-U.S. data relations sets a global benchmark for data privacy, cybersecurity, and legal discovery, providing a model for future international data transfer agreements.

Press Announcement*

Data Protection: European Commission Adopts New Adequacy Decision for Safe and Trusted EU-US Data Flows

European Commission 

Today, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards.

The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to.

President Ursula von der Leyen said: “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”

US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.

EU individuals will benefit from several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.

In addition, the US legal framework provides for a number of safeguards regarding the access to data transferred under the framework by US public authorities, in particular for criminal law enforcement and national security purposes. Access to data is limited to what is necessary and proportionate to protect national security.

EU individuals will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, which includes a newly created Data Protection Review Court (DPRC). The Court will independently investigate and resolve complaints, including by adopting binding remedial measures.

The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules.

Next steps

The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.

The first review will take place within a year of the entry into force of the adequacy decision, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.

Background

Article 45(3) of the General Data Protection Regulation (GDPR) grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures ‘an adequate level of protection’ – a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow freely from the EU (and Norway, Liechtenstein and Iceland) to a third country without further obstacles.

After the invalidation of the previous adequacy decision on the EU-U.S. Privacy Shield by the Court of Justice of the EU, the European Commission and the US government entered into discussions on a new framework that addressed the issues raised by the Court.

In March 2022, President von der Leyen and President Biden announced that they had reached an agreement in principle on a new transatlantic data flows framework, following negotiations between Commissioner Reynders and US Secretary Raimondo. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which was complemented by regulations issued by US Attorney General Garland. Together, these two instruments implemented the US commitments reached under the agreement in principle into US law, and complemented the obligations for US companies under the EU-U.S. Data Privacy Framework.

An essential element of the US legal framework enshrining these safeguards is the US Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which addresses the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.

The Framework is administered and monitored by the US Department of Commerce. The US Federal Trade Commission will enforce US companies’ compliance.

Read the original press announcement.


Complete Fact Sheet: EU-US Data Privacy Framework (PDF) – Mouseover to Scroll

EU-US Data Privacy Framework

Read the original fact sheet.

*Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.


Assisted by GAI and LLM Technologies

Additional Reading

Source: ComplexDiscovery

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, DALL-E2, Grammarly, Midjourney, and Perplexity, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.