The nearly 30 years since the first EU Data Protection Directive (95/46/EC) was published in 1995, have been characterized by challenges around data transfer to the US. It will soon be 3 years since the ECJ invalidated the second agreement on the transfer of personal data from the EU to the US due to glaring shortcomings, and it will soon be a year since the EU and the US settled on a new agreement "in principle". It is unclear when this agreement will come into effect. At the heart of all these developments is a question that has remained largely unchanged since 1995: does personal data protection in the U.S. meet the EU's high standards?
A chronology of the most important events concerning the processing of personal data from the EU within the US:
The EU passes the Data Protection Directive 95/46/EC, which contains basic rules for the handling of personal data. Data transfers to third countries are only permitted if adequate protection of said data during the transfer process is guaranteed.
Source: EUR-Lex EUR-Lex - 31995L0046 - EN - EUR-Lex (europa.eu)
The Safe Harbor Agreement is introduced by the European Commission allowing companies to transfer the personal data of EU citizens to the U.S. as long as the relevant U.S. companies comply with certain data protection standards.
Former U.S. intelligence contractor Edward Snowden releases documents showing that the U.S. government had been collecting massive amounts of data from U.S. as well as foreign citizens. This included surveillance of EU citizens and companies.
The European Court of Justice (ECJ) issues a ruling invalidating the Safe Harbor Agreement, indicating that it did not provide adequate protection for personal data.
Source: European Court of Justice EUR-Lex - 62014CJ0362 - EN - EUR-Lex (europa.eu)
The EU-US Privacy Shield Framework comes into force, providing a mechanism for companies to transfer the personal data of EU citizens to the US as long as the relevant US companies comply with certain data protection standards.
Source: European Commission EU-US data transfers (europa.eu)
The GDPR, also known as the General Data Protection Regulation, comes into effect. It is a data protection regulation within EU law aimed at strengthening personal data protection and establishing coherent data protection standards across all EU member states. The GDPR replaces the previous EU Data Protection Directive of 1995 and introduces significant changes and augmentations to bring data protection in line with today's digital landscape.
The ECJ declares the EU-US Privacy Shield Framework invalid as it does not provide adequate personal data protection. In addition, the ECJ further restricts the use of standard contractual clauses.
For further details please download our Whitepaper CLOUD Act.
The Irish Data Protection Commission (DPC) issues a preliminary injunction against Facebook Ireland Limited and Facebook Inc. and calls for a suspension of personal data transfers from the EU to the U.S. based on standard contractual clauses.
Facebook loses its case in the Irish High Court challenging the interim order to suspend data transfers.
Source: Irish High Court https://www.dataprotection.ie/sites/default/files/uploads/2021-08/Facebook%20v.%20DPC%20Judgment%2014.5.21.pdf https://techcrunch.com/2021/05/14/facebook-loses-last-ditch-attempt-to-derail-dpc-decision-on-its-eu-us-data-flows/
The European Commission publishes new standard contractual clauses with respect to the transfer of personal data to countries outside the EU. These clauses contain stricter requirements for businesses to ensure the level of data protection in the relevant destination country is adequate. The utilization of these clauses alone is generally not sufficient. Additional technical and organizational measures must be used to secure data transfers.
Source: European Commission https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en
The European Commission and the United States announce that they have agreed in principle on a new Transatlantic Data Protection Framework.
Source: European Commission https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087
The European Commission initiates proceedings to adopt an adequacy resolution relating to the EU-U.S. Data Protection Framework and publishes a draft adequacy decision on the "New Transatlantic Data Protection Framework" of March 25, 2022
Source: European Commission Commission publishes draft adequacy decision for the EU-US (europa.eu)
The Committee on Civil Liberties, Justice and Home Affairs issues a draft motion for resolution determining that the suggested “EU-US Data Privacy Framework fails to create actual equivalence in the level of protection” and strongly calls on the Commission not to adopt any adequacy decision.
Source: European Parliament
In a statement relating to the draft of a third EU-US data protection agreement, the European Data Protection Board (EDPB) points to the fact that the ECJ is demanding “essentially equivalent protection” of data, therefore requiring further amendments.