On July 10, 2023, the European Union ("EU")-United States of America ("US") adequacy decision for adequate level of protection regarding the transfer of personal data under the EU-US Data Privacy Framework ("DPF") was formally adopted by the European Commission. Thus, personal data transfers between the EU and the US now have a full-fledged legitimate base, and the DPF is influential in terms of recognizing the US as a country satisfying the adequate level of protection criteria stipulated under the General Data Protection Regulation of the European Union ("GDPR"). In short, the DPF establishes a "data bridge" between the EU and the US in the data privacy framework.
As early as 2000, the US and the EU entered into the Safe Harbor Agreement ("Agreement"), which governed data transfers to and from the US. The Agreement was supplanted in 2016 by the "EU-US Privacy Shield", which was replaced again with the DPF. The DPF is the only fully stable legal basis for data transfers between the EU and the US.
The DPF enables US organizations operating within the European Economic Area to transfer personal data from the EU, provided these organizations are included on the "Data Privacy Framework List" and consistently adhere to the DPF principles. Accordingly, the US Department of Commerce has the authority to monitor the listed organizations' compliance with the DPF principles and take necessary actions to ensure adherence. On the other hand, the DPF outlines limitations regarding US intelligence services' access to EU personal data. In this respect, US intelligence services can only access EU-oriented personal data for national security purposes only if such access is allowed under existing legislation.
In addition to the above, the DPF includes several binding safeguards to overcome the concerns previously addressed by the European Court of Justice. Among other things, the DPF establishes an independent court, the Data Protection Review Court ("Court"), to which EU citizens can resort for a judicial remedy to minimize the earlier concerns pointed out, and if the Court concludes that the data collected is in breach of security measures, it will be able to order the deletion of the data in question.
On the other hand, under Article 3 of the DPF, the enforcement of the DPF is periodically subject to review by the Data Protection Authority and the relevant authorities. In the event that the US is considered to be deviated from being a safe country for data transfers, the European Commission can notify the relevant US authorities and limit the scope of the DPF or even repeal the DPF.
Overall, the DPF is influential in many aspects, including its influence over jurisdictions that are not within the scope of the GDPR, like Turkey. The Turkish Data Protection Authority ("Authority") is authorized under the Turkish Data Protection Law to announce a collective list of safe countries. However, there is no list announced by the Authority yet. On the other hand, there is a set of criteria to be considered by the Authority while assessing to grant approval for data transfers outside Turkey. Accordingly, the DPF may influence the Authority during its assessment with regards to granting approval for the data transfers to the US.
Originally published by The Legal Industry Reviews.
© Kolcuoğlu Demirkan Koçaklı Attorneys at Law 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
