Future prospects for the EU-US privacy framework

Organisations have been pleased to see the adoption of the new EU-US Privacy Framework in July. It is almost certain that a legal challenge will arise – nevertheless companies now have some breathing space provided that companies sign up to the pact enthusiastically and implement their commitments in the US.

The next step is the EU Commission’s long-awaited review of the existing adequacy decisions. Argentina, which is one of the beneficiaries, is now modernising its law to meet the higher GDPR-level of adequacy. The bill is based on the EU GDPR and the Council of Europe Convention 108+.

On the back of the EU-US decision, we can expect a UK decision soon, as well as Switzerland taking similar measures. But what about adequacy at US state level? The trend of adopting state level consumer privacy laws continues with Texas and Oregon. There have already been speculations about California being a likely candidate for adequacy as it has a stronger law than the other states. Also possible are sectoral arrangements which would benefit the areas currently not covered by the Privacy Framework, such as financial services.

The Cambridge Analytica saga continues, as witnessed by our expert panel at PL&B’s summer conference. In Australia, the Privacy Commissioner and Meta have now been ordered by the federal court to engage in mediation. This is to end the costly legal proceedings over the scandal which started five years ago.

Some worrying developments can been seen in the adoption of generative AI. The EU is not just paying attention but is at the forefront with its AI Act, and evaluating the impact of AI in the metaverse from many viewpoints. On the positive side, SupTech which includes AI elements can help DPAs with their workload.

Laura Linkomies
Editor, Privacy Laws & Business

August 2023