.png)
.png)
The European Commission's recent approval of the EU-U.S. Data Privacy Framework (DPF) has drawn mixed views from experts regarding its durability and legality.
While the commission believes that the changes in U.S. surveillance practices offer a level of data protection similar to that of the General Data Protection Regulation (GDPR), privacy campaigner Max Schrems, known for successfully challenging previous data transfer mechanisms, has criticized the new framework for failing to meet the requirements set by the Court of Justice of the European Union (CJEU).
Schrems highlights that both U.S. law and the EU's approach to data protection have undergone minimal changes, leaving EU citizens without the same rights as their U.S. counterparts under U.S. surveillance laws. He has vowed to challenge the decision.
Although companies previously registered under the Privacy Shield will find it relatively easy to transition to the DPF regime, experts question the long-term viability of the new scheme. Kristy Gouldsmith, a partner at law firm Spencer West, points out two key concerns: the absence of a U.S. federal law governing personal data processing, leading to variations in data protection due to individual state legislation, and potential legal challenges against the framework.
Robert Grosvenor, managing director at Alvarez & Marsal, acknowledges that the new framework addresses some failures of the Privacy Shield and provides a redress mechanism for EU data subjects. However, Nigel Jones, co-founder of the Privacy Compliance Hub, advises EU companies to continue relying on the DPF while remaining cautious and prepared for potential legal challenges in the future.
While the framework is expected to face legal scrutiny, experts argue that it remains a convenient option for EU companies in terms of data transfers to the U.S. They suggest adopting a multi-layered approach that combines the framework with other appropriate safeguards, such as standard contractual clauses (SCCs), until the ultimate judicial test, known as "Schrems III," provides further clarity.
Companies are advised to remain vigilant and monitor developments in case the framework is invalidated, given the previous success of challenges against its predecessors.
By fLEXI tEAM