New Adequacy Decision for the EU-US Data Privacy Framework
Yesterday, July 10, 2023, the European Commission adopted a new adequacy decision entitled the EU-US Data Privacy Framework. It provides a new mechanism designed to permit the transfer of personal data from the European Union to the United States (“Framework”) in a manner that adequately protects the privacy rights of those individuals whose personally identifiable information is being transferred from the EU to the U.S.[1] The Framework enters into force with its adoption and replaces the EU-US Privacy Shield previously invalidated in July 2020 by the Court of Justice in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems.[2]
What does the adoption of the Framework mean for U.S. companies? The Framework permits the free flow of personal data from companies in the EU to companies in the U.S., provided the parties participate in the Framework. The Framework, however, is not the only tool available for international data transfers. U.S. companies may still rely on the Standard Contractual Clauses as previously approved by the European Commission (“SCC”) and other similar transfer mechanisms.
How to participate? To certify under the Framework, U.S. companies are required to publicly declare their commitment to comply with Framework principles. The process to certify and re-certify under the Framework will remain substantively the same as under the EU-U.S. Privacy Shield Framework, meaning, companies participating in the Framework will be required to first certify and then annually recertify their participation with the U.S. Department of Commerce.
How the Framework is enforced? The Framework will be administered and monitored by the U.S. Department of Commerce, while the Federal Trade Commission will enforce compliance by U.S. companies with the Framework.
Can the Framework be struck down? The Framework is not the first attempt to make international data transfers between the EU and the U.S. valid under the privacy laws in both jurisdictions. Previous adequacy decisions were struck down by the EU Court of Justice in 2015 and again in 2020 under the “Schrems Decisions.”[3] The Framework may again be subject to challenge with the outcome unknown at this time.
What is next? We expect more guidance to be provided by both EU and U.S. authorities. For now, you can get more information on the website of the European Commission. The International Trade Administration (part of the Dept. of Commerce) also launched a website to address questions about the Frameworks self-certification, and more.
If you have questions, be sure to contact MSK or your privacy lawyers.
[1] When referring here to the EU, we mean the European Economic Area, i.e., the EU countries, plus Iceland, Luxembourg and Norway. While the U.K. is no longer part of the EU, it is expected to adopt similar principals in due course. It is expected that Switzerland will also adopt similar principals, also in due course.
[2] Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems ("Schrems II"), https://curia.europa.eu/juris/liste.jsf?num=C-311/18
[3] See Decisions of the Court of Justice in Case C 362/14, Maximillian Schrems v Data Protection Commissioner (“Schrems I”), https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A62014CJ0362; and Case C-311/18, Schrems II, Ibid.