Today, Commissioner for Justice and Consumers Didier Reynders and U.S. Secretary of Commerce Gina Raimondo made the following statement regarding the first periodic review of the EU-U.S. Data Privacy Framework:
“Representatives from the United States Government, the European Commission, and EU data protection authorities are meeting in Washington D.C. on July 18 and 19 to conduct the first review of the EU-U.S. Data Privacy Framework (DPF). U.S. participation in the review included representatives from the Department of Commerce, Department of Justice, Office of the Director of National Intelligence, Federal Trade Commission, and Department of Transportation. EU participants included representatives from the European Commission’s Directorate General for Justice and Consumers and the European Data Protection Board. Representatives of independent recourse mechanisms, oversight bodies and DPF participants also participated to provide feedback to government officials.
The review marks one year since the DPF went into effect and is a testament to United States and EU’s ongoing commitment to the framework. Over the last year, the United States and EU have closely cooperated on the administration and implementation of the DPF. Already, this collaboration has yielded success.
The DPF has strengthened the protection of privacy across the Atlantic, including through the creation of a new national security redress mechanism. In addition, it has facilitated data flows that underpin more than 1 trillion dollars in EU-US trade and investment. Since the DPF’s implementation in July 2023, more than 2,800 enterprises have joined the framework, 70 percent of which are small and medium-sized businesses.
The DPF first review provides an opportunity to verify that the different elements of the framework are in place and function effectively. The review covers all aspects of the framework, from compliance by companies with its privacy requirements and the enforcement of those protections, to the functioning of the Data Protection Review Court before which individuals in the EU/European Economic Area can obtain redress with respect to U.S. signals intelligence activities. In addition, it allows both sides to discuss legal developments relevant to the DPF in the area of privacy and government access to data.
The European Commission is preparing its report on the functioning of the Data Privacy Framework. The publication of the report concludes the review process.”
Background
European entities can rely on the EU-US Data Privacy Framework (DPF) to freely transfer personal data to participating companies in the U.S. Those companies can join the DPF by committing to comply with a detailed set of privacy requirements, which are enforced by the U.S. Federal Trade Commission. The DPF also provides individuals with different avenues to enforce their rights, including against U.S. intelligence agencies when they access personal data, before the independent Data Protection Review Court.
The functioning of the DPF is subject to a periodic review, carried out by the European Commission, together with representatives of European data protection authorities (designated by the European Data Protection Board) and competent US authorities. The first review takes place one year after the DPF’s inception, to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.
To carry out the review, the Commission gathers information from different sources, including civil society organisations, companies relying on the DPF for data transfers (through their trade associations), and relevant US authorities. The Commission will adopt a report with its findings and conclusions in the coming weeks. This public report will be submitted to the European Parliament and the Council.
Details
- Publication date
- 19 July 2024
- Author
- Directorate-General for Justice and Consumers