Return to search

Tredje gången gillt? : En analys av EU-US Data Privacy Framework / Third time’s the charm? : An analysis of the EU-US Data Privacy Framework

Through the GDPR, the member states of the EU and the EEA countries ensure equivalent protection for personal data which is why personal data within this area can be transferred freely. Transfers of personal data to a country outside the EU/EEA area, such as the U.S., are only permitted under the General Data Protection Regulation (GDPR) under cer­tain conditions, including if the EU Commission has decided that the country in ques­tion en­sures an adequate level of protection. The EU Commission has previously adopted two such decisions for the U.S., based on Safe Harbour and Privacy Shield. Those decisions were, how­ever, struck down by the Court of Justice of the European Union (CJEU) in Schrems I and II since the CJEU did not consider that the U.S. could ensure an adequate level of protection for per­sonal data that was transferred from the EU to the U.S. In July 2023, the EU Commission announced that it had once again adopted an adequacy decision for the U.S. meaning that personal data can now flow freely from the EU to companies and organ­izations in the U.S. certified under the EU-US Data Protection Framework (EU-US DPF). The adequacy decision followed a presidential order signed by U.S. President Biden in October 2022, which introduced new security measures intended to remedy the problems iden­tified by the CJEU in Schrems I and II. On the one hand, the US intelli­gence agencies’ access to personal data is limited to what is proportionate. On the other hand, a data protection court is established.  The purpose of this essay is to examine whether the changes that the presidential order has given rise to has changed the legal situation after Schrems II in such a way that the U.S. can now be considered to ensure an adequate level of protection for personal data that is being transferred from the EU to the U.S. By analyzing the EU-US DPF against the background of the jurisprudence of the CJEU and the European Court of Justice, I find that this is not the case. The U.S. intelligence agencies’ use of and access to EU citizens’ personal data is still not lim­ited to what is proportionate and EU citizens whose personal data is processed still do not have access to an effective remedy to challenge surveillance measures. Thus, the new adequacy decision for the U.S. is likely to be struck down by the CJEU in the coming years. The conse­quences of such an invalidation are examined to some extent in this essay, particularly in rela­tion to other transfer mechanisms in Chapter V of the GDPR, namely standard contractual clauses and binding corporate rules.

Identiferoai:union.ndltd.org:UPSALLA1/oai:DiVA.org:uu-522292
Date January 2023
CreatorsBjerselius, Nathalie
PublisherUppsala universitet, Juridiska institutionen
Source SetsDiVA Archive at Upsalla University
LanguageSwedish
Detected LanguageEnglish
TypeStudent thesis, info:eu-repo/semantics/bachelorThesis, text
Formatapplication/pdf
Rightsinfo:eu-repo/semantics/openAccess

Page generated in 0.0028 seconds