On July 10, 2023, the European Commission (EC) adopted an adequacy decision approving the EU-U.S. Data Privacy Framework (DPF). With this decision, companies that choose to participate in the DPF may now transfer personal data between the EU and U.S. without the need to implement additional data protection safeguards.

BACKGROUND

To transfer personal data to a non-EU country, the General Data Protection Regulation (GDPR) requires that the non-EU country ensure an “adequate” level of protection for such personal data.  Absent a determination by the EC that a third country ensures an “adequate” level of protection, “a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” (GDPR, Article 46(1) (emphasis added)). 

Following the demise of the Privacy Shield framework in 2020, to afford such “appropriate safeguards” to personal data, many companies entered into the Standard Contractual Clauses (SCCs) for transfers to third countries put forth by the EC. The DPF provides an alternative to entering into such SCCs and provides welcome relief to companies looking for a streamlined approach to handling international data transfers. The DPF replaces the Privacy Shield, which had been invalidated in the 2020 Schrems II decision due in large part to concerns about access to EU personal data by U.S. intelligence services.

How Do Companies Utilize the DPF?

As the EC has explained, U.S. companies may join the DPF “by committing to comply with a detailed set of privacy obligations.” These obligations include  “the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.”

For companies that have maintained an active Privacy Shield certification, the U.S. Department of Commerce (charged with overseeing the Privacy Shield and DPF) has stated that organizations that are certified to the Privacy Shield do not need to make a separate, initial self-certification submission to participate in the EU-U.S. DPF. However, such organizations must comply with the EU-U.S. DPF Principles, including by updating their privacy policies to replace Privacy Shield provisions with those required by the DPF.

Third Time’s the Charm?

The DPF is the third data transfer framework that the U.S. and the EU have negotiated to enable the transatlantic transfer of personal data (with the preceding frameworks being the Safe Harbor, which was invalidated in 2015, and the Privacy Shield). This time around, the U.S. government has attempted to address many of the concerns articulated in the Schrems II decision in an Executive Order that essentially applies fair information principles to personal data of non-U.S. persons collected for U.S. national security purposes. For Max Schrems himself and his organization NOYB, this attempt is not sufficient. NOYB has signaled its intent to challenge the DPF as it did the Safe Harbor and the Privacy Shield. It remains to be seen if the DPF will stand the test of time or fall before Max Schrems as its older siblings did before it.

What’s Next?

The website for the Data Privacy Framework is live as of July 17, 2023. In addition to EU-U.S. transfers, the DPF framework also includes mechanisms to address data transfers between the U.S. and the United Kingdom/Switzerland.

If you have any questions about the DPF or would like advice in connection with self-certification, or if you have any other data privacy or security related questions, please reach out to Faith Kasparian, Kevin Olson, Ryan J. Perry, or Ann O’Rourke.

This Alert provides general information only. It is not intended to provide advice with respect to any specific set of facts, nor is it intended to advise on all developments in the law.