EU issues adequacy decision  allowing transfer of personal data  to US companies under the new Framework

In July of 2020, the Court of Justice of the European Union issued Shrems II, which struck down the EU-US Privacy Shield, the framework that allowed for the transfer of personal data from the EU to the US without engaging in complicated transfer mechanisms. Since then, international transfers have required complicated contracts (the “SCCs”) combined with additional security and privacy measures and legal reviews. 

Today (July 10, 2023), the European Commission adopted an adequacy decision for data transfers to the United States under the new EU-US Data Privacy Framework (the “Framework). The decision essentially allows for the transfer of personal data from the EU to the US by companies that participate in the Data Privacy Framework. For companies engaging in transferring data from the EU to the US, this will make the process much simpler and more reliable. 

The Framework is based on the old Privacy Shield in many ways, and US companies will be able to self-certify their participation in the Data Privacy Framework, just as they did with Privacy Shield. The only safeguards required for their EU-US data transfers will be those specified as part of the certification. For example, specific provisions in privacy notices will be required. Participating companies will also have to enter into contracts (not the SCCs) that provide for meeting certain privacy protection principles (such as data minimization) when data is transferred across the Atlantic. According to the Department of Commerce, which is charged with administering the Data Privacy Framework in the US, the privacy principles and the process for annual self-certification under the new Framework will remain substantively the same as they were under Privacy Shiels. In fact, if you remained certified under the invalidated Privacy Shield, your company will have access to a simplified self-certification under the new Framework over the next three months.

For those wondering “why all the fuss for the last 3 years if nothing changed?” Something did change, something significant. There are strengthened privacy protections for EU residents’ data thanks to changes to US regulations regarding government access to data and the establishment of a robust redress mechanism. The US Federal Trade Commission will oversee companies’ compliance with the Framework and the new Data Protection Review Court (“Review Court”) will provide EU residents with recourse for complaints that the handling of their personal data violates the Framework.  

The European Data Protection Board (EDPB) and the members of the European Parliament had previously recommended against approving the Framework as it currently stands, citing additional weaknesses in US privacy protections that the changes to regulations and the Review Court did not appear to rectify in their view. Given their previous concerns and statements from EU privacy advocates, including Max Shrems, who brought the initial case that led to the invalidation of Privacy Shield and now leads the privacy activist group NYOB, it is highly likely that the adequacy decision will be questioned in court in the near future. 

For organizations looking for reliability as they build their privacy programs, the hope is that the Framework is robust enough to hold up in court where Privacy Shield failed. 

The Commerce Department’s website is currently being updated to provide detailed information on self-certification, and the European Commission released a press release with a fact sheet and a helpful Q&A page containing additional information about the Framework and adequacy decision. 

The adequacy decision goes into effect on July 11, 2023. Companies that wish to self-certify can check in here for further updates or contact KKF Consulting if they would like help reviewing their privacy program compliance needs given the changing landscape under this EU decision.

Disclaimer: The information included here is based on best practices generally and should not be used as legal advice. Placement of privacy notices requires consideration of multiple factors, as indicated in this article. Please consult counsel if you are unsure of your posting requirements.