Final EU-US adequacy decision is expected by summer

There are still some procedural hurdles to clear before the EU-US Data Privacy Framework takes effect. It seems unlikely though that the remaining EU DPA reservations would put a stop to this agreement which has been in the making for years. However, their call for subsequent reviews to take place at least every three years is a sensible step, as well as monitoring how well the redress mechanism works in practice.

It is expected that EU-US Data Privacy Framework will be adopted in the summer of 2023 once the EU Member States have given their approval. While US organisations must self-certify, it is still less stringent than using Standard Contractual Clauses, for example. SCCs have also been developed in China but with important variations from the EU clauses.

Can we expect a US federal privacy law? In his State of the Union address at the beginning of February, President Joe Biden called for “bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.” In the meantime, the trend of adopting state-level privacy laws continues with Iowa being the recent addition.

Data Protection Authorities keep enhancing their cooperation globally, both through networks created by law and international agreements, and by more informal arrangements. An example of the former is the European Data Protection Board which aims to further streamline its cross-border enforcement. The EU Commission is working on how to harmonise some aspects of the administrative procedures which have caused delays, for example in Ireland.

National level interpretations on what the GDPR means are always a fascinating read. In this issue we bring you a case study from France, where the DPA has ruled that the GDPR did not apply there to the operations of a US-based company.

I look forward to a discussion on this topic 3-5 July at Who’s Watching Me? our 36th International Conference in Cambridge, UK, with a EU Commission representative and a Member State national Data Protection Commissioner taking the stage (see the conference programme).

Laura Linkomies
Editor, Privacy Laws & Business

April 2023