The new European Union-U.S. Data Privacy Framework has reinstated clear data sharing rules. While the EU has GDPR protecting its citizens' right to data privacy, the U.S. is devoid of any such law.
It took about two years for the US to design the new data privacy framework after the EU's Court of Justice slashed the previous data sharing framework, ‘the EU-U.S. Privacy Shield’, enacted in 2016. The privacy shield was invalidated following the Schrems II court ruling. Most of the changes in the framework focused on modifying U.S. intelligence agencies' access to and handling of EU data, which was the basis for invalidating privacy shield.
Several U.S. companies depend on multiple data transfer mechanisms, including standard contractual clauses between companies, to meet GDPR requirements. However, contractual clauses don't address all data transfers within GDPR's scope, such as directly collecting information from data subjects in the EU and transferring that data to the U.S. A few companies reduced the type of data transfers and the quantity of data taken from the EU. Others separated EU and U.S. business operations by creating local data centers in the EU, which in turn created data silos,
The U.S. companies can now rely on the new data privacy framework that brings back legal certainty even though confirmation on the adequacy of the data transfer commitments is still awaited. The U.S. Department of Commerce has indicated there will be amendments to the commercial data sharing requirements in the new framework.
In the two years since the privacy shield was invalidated, companies like Google and Meta have faced multiple lawsuits over the transfer of data. If companies face costs when implementing the new framework, they'll have to consider whether those costs outweigh the risks faced previously by not having the right legal data transfer mechanism in place. That's the trade-off companies must consider.
The new data privacy framework restores clear directions for companies to legally transfer data between the U.S. and EU.