The Bottom Line
- After both the U.S.-EU Safe Harbor Framework and EU-U.S. Privacy Shield Framework were invalidated by European courts, businesses are hopeful that the new Data Privacy Framework will be the one that finally survives legal scrutiny.
- Businesses dealing with cross-border transfers of personal data from the EU to the United States should be ready to consider registering under the new framework.
Years of anticipation culminated on July 10, 2023, when the European Commission adopted an adequacy decision (the Adequacy Decision) on the EU-U.S. Data Privacy Framework (the Framework).
The Adequacy Decision is the result of a series of negotiations between the European Union and the United States to ensure that the United States provides a comparable level of protection to the EU with respect to cross-border transfers of personal data under Article 45(1) of the General Data Protection Regulation (GDPR). Following the 2020 decision by the Court of Justice of the European Union (CJEU) to invalidate the EU-U.S. Privacy Shield Framework in the Schrems II case, U.S. companies could no longer rely on their privacy shield certification as a lawful means to transfer EU personal data.
The Adequacy Decision provides an additional mechanism – instead of standard contractual clauses (SCCs) or binding corporate rules (BCRs) – to ensure the lawful transfer of data across the Atlantic. Importantly, U.S. companies that are certified under the Framework will no longer need to implement SCCs or BCRs as a data transfer mechanism, and such transfers will not requireperforminga Transfer Impact Assessment (TIA) (transfers based on SCCs will still need a TIA). Companies that retained their certification under the Privacy Shield will also have access to a simplified procedure to self-certify under the new Framework.
Key Components of the Adequacy Decision
A key aspect of the Adequacy Decision is that it limits access to European citizens’ personal data by U.S. intelligence services to what is “necessary and proportionate”, thereby addressing the CJEU’s concerns surrounding surveillance that it raised in Schrems II. The Adequacy Decision also provides European citizens with the ability to lodge complaints (for free) with their national data protection authority, which will transmit the complaint to the United States for investigation by the “Civil Liberties Protection Officer” of the U.S. intelligence community. EU citizens may appeal a decision of the officer to the newly established Data Protection Review Court, which will have the power to obtain relevant information from intelligence agencies and enforce redress mechanisms.
According to the European Commission’s press release, the Framework will be subject to periodic reviews by the European Commission, in collaboration with representatives of European data protection authorities and U.S. regulatory agencies. The first review will take place within a year of the Adequacy Decision taking effect and will verify that all relevant elements have been properly implemented under existing U.S. laws and regulations. Although the Adequacy Decision has been finalized and formally adopted, it still may be subject to an invalidation procedure before the CJEU, but EU officials have indicated that this would be highly unlikely.
For More Information
Almost immediately after issuing the Adequacy Decision, the European Commission issued FAQs. On the U.S. side, we expect that similar guidance from the U.S. Department of Commerce, which administers the Framework, and the Federal Trade Commission (FTC), which enforces it, is forthcoming. In the meantime, the Department of Commerce is launching a new website to provide information on participating organizations, how companies can self-certify under the Framework and other resources.