EU-U.S. Data Privacy Framework: A new adequacy decision for the United States

International Data Transfers

The European General Data Protection Regulation (GDPR) only allows personal data to be transferred to countries outside the European Economic Area (EEA) if that country has an adequate level of protection of personal data, which is essentially equivalent to the protection as provided in the European Union. An adequacy decision, as adopted by the European Commission (EC), is one of the tools to transfer personal data freely from the EEA to a particular country when, under its national legislation or its international commitments, the country ensures an adequate level of privacy protection. 

Previous Adequacy Decisions

Before the DPF, the US relied on two consecutive adequacy decisions to transfer personal data from the EEA: the so-called “Safe Harbor Privacy Principles” (2000-2015) and the “EU-US Privacy Shield” (2015-2020). The European Court of Justice (CJEU) invalidated both adequacy decisions in the cases of respectively Schrems I and Schrems II. The main concerns of the CJEU were that (i) the access of EU personal data by US intelligence services was not subject to any judicial review and was not limited in scope to what was strictly necessary and (ii) there was a lack of an effective redress mechanism for Europeans in regard to the unlawful handling of their data by US authorities. Therefore, an adequate level of protection could not be guaranteed in the US.

Differences with the new DPF

The new DPF addresses the concerns raised by the CJEU. In October 2022, the US adopted Executive Order (EO) 14086 and the Regulation on the Data Protection Review, providing stronger privacy safeguards for European personal data when accessed by US intelligence services by i) limiting access to what is necessary and proportionate to national security; ii) adding oversight of US Intelligence authorities’ activities and; iii) creating a new redress mechanism by establishing a “Data Protection Review Court”.

The concerns regarding safeguards in connection with US intelligence operations were the main concern of the CJEU. No concerns were raised with regard to any obligations of commercial entities. Therefore, the commercial principles of the new framework did not change much in comparison to the EU-US Privacy Shield, besides that key-coded data is now also covered. Also, references to the previous Data Protection Directive 95/46/EG have been updated to reflect the wording of the GDPR. Companies that copied the text of the Privacy Shield in their privacy policy should therefore change their privacy policy accordingly so that it reflects the text of the DPF.

It is also good to note that the national security commitments made in the EO and the redress mechanism apply for all transfers, including transfers through Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

Moving Forward

The new adequacy decision is a much welcomed decision, especially for smaller and medium-sized companies due to its affordability and approachability. In the US, American companies may begin their self-certification process through the website of the US Department of Commerce from Monday July 17, 2023. Companies that are currently participating in the EU-US Privacy Shield and want to participate in the DPF have a three-month transitional period (until October 10, 2023) to update their privacy policy to the DPF without having to re-admit certification. In the EU, the European Data Protection Board (EDPB) previously expressed her concern in regard to the DPF and will provide an information note in the coming weeks. Today, the EDPB has a plenary meeting where the EC will participate to give an update on the DPF as the first item on the agenda during which, undoubtedly, the EC will be invited do address some of the EDPB’s concerns. These concerns were shared by Max Schrems – the plaintiff behind the Schrems I and II cases invalidating the previous frameworks – who already announced his intent to challenge the new adequacy decision.