Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
The EU–US data privacy framework and the impact on companies in the EEA and USA compared to other international data transfer mechanisms
Journal of Data Protection & Privacy,
6
(2),
120-134
(2023)
Abstract
Third time's a charm? Companies in the European Economic Area, Switzerland and the UK (EEA+) are considering the pros and cons of the third attempt of the EU Commission and US government to establish interoperability between their data protection and privacy law systems, after the demise of the US Safe Harbor Program and the EU–US Privacy Shield. Should US companies register? Are the efforts worth the potential benefits, given that the new programme has already been challenged and may be invalidated like previous programmes for reasons that businesses cannot control? Should companies that were already enrolled in the previous programmes accept automatic enrolment or leave the programme? Can and should companies in the EEA+ rely on EU–US Data Privacy Framework (DPF) registration for international transfers? Or insist on registration in addition to standard contractual clauses (EU SCC 2021) or other compliance mechanisms? Are data transfer impact assessments (DTIAs) still required for transfers to the US? Should they be updated? This paper seeks to help companies find answers to these questions and (I) outlines the background and context of the Adequacy Decision, (II) explains how US companies can join the DPF, (III) discusses the impact of the Adequacy Decision, (IV) summarises requirements for other compliance mechanisms for international data transfers under the GDPR, (V) compares the DPF to other transfer compliance mechanisms and (VI) provides practical considerations and a summary.
Keywords: EU–US Data Privacy Framework; EU–US Privacy Shield; US Safe Harbor Program; GDPR; data protection law; international data transfers; data transfer impact assessments; three hurdles
The full article is available to subscribers to the journal.
Author's Biography
Lothar Determann works at Baker McKenzie in San Francisco and Palo Alto. He has been counselling companies since 1998 on data privacy law compliance and taking products and business models international. Admitted to practice in California and Germany, he has been recognised as one of the top ten copyright attorneys and top 25 intellectual property attorneys in California by the `San Francisco & Los Angeles Daily Journal` and as a leading lawyer by Chambers, Legal 500, IAM and others. For more information see www.bakermckenzie.com. Prof Dr Determann has been a member of the Association of German Public Law Professors since 1999 and teaches data privacy law, computer law and internet law at Freie Universität Berlin (since 1994), University of California, Berkeley School of Law (since 2004), Hastings College of the Law (since 2010), Stanford Law School (2011) and University of San Francisco School of Law (2000–2005). He has authored more than 150 articles and treatise contributions as well as five books, including ‘Determann's Field Guide to Data Privacy Law’ (5th Edition, 2022, also available in Arabic, Chinese, French, German, Hungarian, Italian, Japanese, Korean, Portuguese, Russian, Spanish and Turkish) and ‘California Privacy Law — Practical Guide and Commentary on U.S. Federal and California Law’ (5th Ed. 2023). His ‘Field Guide to Artificial Intelligence Law’ is scheduled to be published in January 2024. Recent papers include ‘Healthy Data Protection’, ‘Electronic Form over Substance’ and ‘No One Owns Data’.
Michaela Nebel is an attorney at Baker McKenzie's Frankfurt office and co-head of the German Information Technology Group. She advises companies on all aspects of information technology law and digital law, with a strong focus on data protection law and data dispute matters. She is the author of numerous articles on information technology law and data protection law and the co-author of an English language commentary on the EU General Data Protection Regulation. Michaela holds a PhD in law and certifications as a Certified Information Privacy Professional/Europe (CIPP/E) and a Certified Information Privacy Professional/US (CIPP/US).
Michael Schmidl Prof Dr Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including Internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.
