European Commission Adopts New Adequacy Decision For The EU-U.S. Data Privacy Framework
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF), which represents the culmination of three years of work and negotiations between the two jurisdictions. The basic purpose of the DPF is to allow personal data to flow safely and freely from the European Union (EU) to United States (U.S.) organizations, without the need to put in place the EU Standard Contractual Clauses (EU SCCs) or any other General Data Protection Regulation (GDPR) safeguard, which has been the standard practice of many U.S. businesses for the last several years.
Prior to July 2020, thousands of U.S. businesses relied upon the EU-U.S. Privacy Shield, the precursor to the DPF, for legal transfers of data between the two jurisdictions. However, on July 16, 2020, the landmark case Schrems II was handed down by the Court of Justice of the European Union (CJEU), which invalidated Privacy Shield and left thousands of U.S. businesses scrambling to adopt alternative GDPR safeguards in order to legally conduct data transfers from the EU to the U.S. Most businesses came to rely upon the SCCs, but with the European Commission’s adequacy decision regarding this new DPF, U.S. businesses finally have a new framework for legitimizing data transfers.
The DPF introduces significant improvements compared to the defunct Privacy Shield. Notably, the level of protection granted to EU data will be comparable to data protection granted under GDPR. Read on to learn more about the new DPF and what this could mean for your business:
What Does the DPF Include?
The DPF will address the concerns raised by the CJEU, including the access to EU data by U.S. intelligence services. This will include imposing safeguards, review processes, and mechanisms to protect European privacy rights.
Safeguards. The DPF introduces binding safeguards to ensure privacy rights and to promote U.S. compliance with certain obligations for importing data from the EU. Particularly, with U.S. intelligence services or public authorities, access to data will be restricted only to what is deemed necessary and proportionate. The safeguards will also facilitate transatlantic data flows more broadly, as they will apply to data transfers using other mechanisms, like SCCs or other binding corporate rules.
Review. The DPF will establish a Data Protection Review Court (DPRC) to be based in the U.S. The DPRC will be accessible to individuals and allow them to address the collection of their personal data in front of this body.
Privacy Rights. The DPF provides EU individuals the right to obtain access, correct, or delete their personal data that is held by participating U.S. organizations. Notably, EU individuals will be offered improved redress mechanisms if their personal data is handled in a manner that violates the DPF.
Additionally, the DPF will be subject to periodic reviews, with the initial review taking place within one year. These reviews will be conducted to ensure the proper implementation of all intended elements of the DPF and their effective functioning.
What U.S. Organizations Are Eligible for the DPF?
The DPF will be administered and monitored by the U.S. Department of Commerce. The Federal Trade Commission (FTC) will enforce U.S. organizations’ compliance with the requirements of the framework. However, the DPF is available only to U.S. organizations that are subject to the authority of the FTC (nonprofit organizations, nonprofit health systems, and universities are generally not included).
How Can a U.S. Organization Qualify Under the DPF?
Personal data can flow freely from the EU to U.S. organizations that self-certify their participation in the framework and commit to comply with the framework’s set of privacy obligations. Some of these obligations include adopting standards regarding purpose limitations, data minimization and data retention, data security, data sharing, and ensuring continuity of protection when personal data is shared with third parties.
A U.S.-based organization is required to self-certify with the International Trade Administration (ITA) via the DPF program website and publicly commit to comply with the DPF principles. Crucially, U.S. organizations that maintained their self-certification under the defunct EU-U.S. Privacy Shield will have access to a simplified procedure for self-certification under the DPF.
Prior to beginning the certification process, businesses should conduct an internal review to determine which data transfers could rely on the new mechanism and that it has the technical and practical capability of meeting all the requirements of the DPF.
The DPF presents an opt-in system, so, in the event that it is impractical or impossible for a business to certify with the DPF, the business may nonetheless still be able to make legal data transfers through the SCCs or other safeguards.
Contact one of the privacy experts in McGrath North’s Privacy and Cybersecurity team for all of your questions related to the new Data Privacy Framework and what the new framework means for your business. The team at McGrath North has the experience and knowledge to guide your business through today’s rapidly changing privacy environment.
Related Attorneys
