ABSTRACT
The European Commission’s adequacy decision on the EU-US Data Privacy Framework (DPF), adopted on July 10th, 2023, marks a crucial moment in transatlantic data protection. Following an Executive Order issued by President Biden in October 2022, this decision confirms that the United States (US) meets European Union (EU) standards for personal data protection. The decision extends to all transfers from the European Economic Area (EEA) to US entities participating in the framework, promoting privacy rights while facilitating data exchange. Key aspects include oversight of US public authorities’ access to transferred data, the introduction of a dual-tier redress mechanism, and granting new rights to EU individuals, encompassing data access and rectification. However, the EU-US DPF presents both promise and challenges in health data transfers. While streamlining exchange and aligning legal standards, it grapples with the complexities of divergent privacy laws. The recent bill for the introduction of a US federal privacy law emphasizes the urgent need for ongoing reform. Lingering concerns persist regarding the EU-US DPF’s resilience, especially amid potential legal battles before the Court of Justice of the EU (CJEU). The history of transatlantic data transfers between the EU and the US is riddled with vulnerabilities, reminiscent of the Ouroboros – an ancient symbol of a serpent or dragon eating its own tail – hinting at the looming possibility of the framework facing invalidation once again. This article delves into the main requirements of the EU-US DPF and offers insights on how healthcare organizations can navigate it effectively.
Corrales Compagnucci, Marcelo, The EU-US Data Privacy Framework: Is the Dragon Eating its Own Tail? (April 22, 2024).
Leave a Reply