On July 10th, the European Commission issued an adequacy decision for the EU-US Data Privacy Framework, signaling that the United States provides an adequate level of protection for personal data transferred from the EU to US companies, if those companies have self-certified and adhere to certain Data Privacy Framework Principles. This decision aims to alleviate the challenges faced by EU organizations when transferring personal data to the US.
This adequacy decision follows significant changes in US law, including the issuance of Executive Order 14086, which enhances safeguards for US signals intelligence activities. This order, issued on October 7, 2022, outlines principles-based conditions, limitations, and safeguards governing signals intelligence activities. These measures aim to ensure that the US meets the requirements of necessity and proportionality. Additionally, the Executive Order establishes a new redress mechanism.
The European Commission has thoroughly assessed these changes, while also addressing deficiencies that led to the invalidation of the EU-US Privacy Shield in 2020 by the Court of Justice of the European Union (CJEU) in the Schrems II decision.
The Privacy Shield Struck Down in 2020
In 2020, the CJEU made a landmark decision to invalidate the EU-U.S. Privacy Shield, which served as a mechanism to facilitate the transfer of EU personal data to the United States. The CJEU’s ruling came in response to concerns regarding the lack of adequate data protection for EU citizens’ personal data once it was transferred to U.S. companies.
The court cited concerns over U.S. surveillance practices, particularly those involving signals intelligence activities, which it deemed incompatible with EU data protection standards. Additionally, the CJEU found that the Privacy Shield lacked sufficient safeguards and remedies for EU individuals whose data was subject to U.S. government access and surveillance.
The decision rendered the Privacy Shield framework ineffective, leaving organizations to rely on alternative mechanisms, such as standard contractual clauses or binding corporate rules, to continue cross-border data transfers between the EU and the U.S.
New Data Privacy Framework
The adequacy decision does not automatically legitimize all EU-to-US data transfers. Instead, it applies to EU personal data transferred to US organizations that have self-certified their compliance with the Data Privacy Framework principles.
The Data Privacy Framework allows transfers to certified US companies without a requirement to commit to additional authorizations or safeguards. The European Commission’s favorable assessment of the changes in US laws is a significant step forward for US entities struggling as recipients of cross-border data flows, particularly given the lack of a federal privacy statutory framework.
The adequacy decision will be periodically reviewed by the European Commission to ensure that the level of protection provided by the US under the Data Privacy Framework remains justified. The first review will take place within a year of the decision’s entry into force, followed by subsequent reviews determined by the Commission in consultation with European data protection authorities. If identified issues are not addressed by US authorities, the Commission may suspend or repeal the adequacy decision, or impose further conditions on data transfers.
Organizations must be included on the “Data Privacy Framework List,” which will be publicly maintained by the US Department of Commerce in order to rely on this EU data transfer mechanism. A self-certification website, www.dataprivacyframework.gov, was launched on July 17, 2023. Existing organizations with Privacy Shield certification are required to comply with the Data Privacy Framework Principles by October 10, 2023, without the need for a new self-certification submission. However, organizations that have not maintained their Privacy Shield certification or are new to the process must complete the self-certification attestations on the website.
This adequacy decision represents a significant development for organizations transferring EU resident personal data to the US. The decision acknowledges positive changes in US law which will contribute to successful transfer impact assessments for EU-US data transfers. However, organizations are likely to remain cautious and continue using additional safeguards such as standard contractual clauses to mitigate potential risks. It is also important to note that the Data Privacy Framework currently does not apply to the UK, but provisions for the UK extension and the Swiss-US Data Privacy Framework are expected to facilitate data transfers between those regions and the US, once respective adequacy decisions are implemented.
For assistance with self-certification or to gain a better understanding of the impact of this adequacy decision, contact PRIVATECH.
PRIVATECH’s inaugural CIPP/US certification training will be held in November 2023. Let us know if you want to be informed when registration is open!