Nearly three years after the European Union's ("EU") high court struck down the EU-U.S. Privacy Shield Framework, the European Commission (the "Commission" or "EC") adopted an adequacy decision for the EU-U.S. Data Privacy Framework (the "Data Privacy Framework") on July 10, 2023, stating that the United States ensures a level of data protection equivalent to that of the EU. The decision effectively allows for the safe transfer of personal data from the EU to U.S. companies participating in the Data Privacy Framework without putting additional transfer safeguards in place.
The approval comes as a bit of a surprise, as previously members of the European Parliament and the European Data Protection Board recommended against approving the Data Privacy Framework. Furthermore, NOYB – European Center for Digital Rights founder Max Schrems, who successfully contested the validity of the U.S.-EU Safe Harbor and the EU-U.S. Privacy Shield frameworks, has vowed to challenge the new framework in court.
U.S. companies will be able to certify their participation in the Data Privacy Framework by committing to comply with a detailed set of privacy obligations. According to the U.S. Department of Commerce, which is charged with administering and monitoring the Data Privacy Framework, the privacy principles and the process to self-certify and recertify annually under this new framework will remain substantively the same as those under the EU-U.S. Privacy Shield Framework.
Companies currently self-certified under the EU-U.S. Privacy Shield Framework will have access to a simplified procedure for self-certification under the EU-U.S. Data Privacy Framework. Like before, the U.S. Federal Trade Commission will enforce U.S. companies' compliance with the new framework.
According to the Commission, the Data Privacy Framework addresses all concerns raised by the EU's highest court, including with respect to access to EU data by U.S. intelligence services. European citizens also are offered improved redress mechanisms if their personal data is handled in a manner that infringes on the Data Privacy Framework, including through the newly created Data Protection Review Court. The new framework will be subject to periodic reviews by the EC and representatives of European data protection authorities and competent U.S. authorities.
Further details about the Data Privacy Framework and the certification process are expected to be posted on the U.S. Department of Commerce's dedicated website for this new framework.
The EC has also released a fact sheet and Questions and Answers containing additional information about this new framework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.