Publication

Client Alert: European Commission’s Adequacy Decision Sets Standards for US Companies to Receive Personal Data from EU Under the New EU-US Data Privacy Framework

On July 10, 2023, the European Commission concluded that the US ensures an adequate level of protection for personal data transferred from the European Union to US companies under the  new EU-US Data Privacy Framework. Based on the Adequacy Decision, personal data can be transferred safely from the EU to US companies that participate in the Framework. Adoption of the Framework represents an important step to provide trust to EU data subjects that their data will remain safe when transferred to the US. Implementation of the Framework will further strengthen economic ties between the EU and the US, and will help solidify shared data privacy and data protection values.

The new EU-US Data Privacy Framework is the product of negotiations and agreement between the US government and European Commission that followed the Biden Administration’s October 2022 Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which was complemented by regulations issued by the US Attorney General. Together, the Executive Order and regulations implemented the US commitments reached under the agreement in principle into US law, and complemented the obligations for US companies under the EU-US Data Privacy Framework. US companies will now be required to comply with certain data protection principles, including:

  • Purpose limitation and choice;
  • Processing of special categories of personal data;
  • Data accuracy, minimization and security;
  • Transparency;
  • Individual rights;
  • Restrictions on onward transfers;
  • Accountability; and
  • Administration, oversight and enforcement.

The EU-US Data Privacy Framework also introduces new binding safeguards to address the most critical concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The Framework introduces significant improvements compared to the mechanism that previously existed under the former EU-US Privacy Shield, which was invalidated by the European Court of Justice in July 2020. In addition to the obligations that US companies importing data from the EU will need to follow, the Framework introduces new safeguards in the area of government access to data. US companies will be able to participate in the EU-US Data Privacy Framework through self-certification and committing to comply with a detailed set of privacy obligations that include requirements to:

  • Delete personal data when it is no longer necessary for the purpose for which it was collected;
  • Ensure continuity of protection when personal data is shared with third parties;
  • Provide redress avenues for data subject rights wrongly handled by US companies; and
  • Provide free of charge independent dispute resolution mechanisms and an arbitration panel.

The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using other tools, such as standard contractual clauses and binding corporate rules.

Like its predecessor, the EU-US Privacy Shield, the EU-US Data Privacy Framework will be administered and monitored by the US Department of Commerce. The Federal Trade Commission will enforce compliance. Further, the functioning of the EU-US Data Privacy Framework will be subject to periodic European Commission reviews, together with representatives of European data protection authorities and designated US authorities. The first review will take place within one year of the July 11, 2023 entry into force of the Adequacy Decision to verify that all relevant elements have been fully implemented in the EU-US Data Privacy Framework and are functioning effectively in practice.

To self-certify under the EU-US Data Privacy Framework, companies can setup an account at www.dataprivacyframework.gov. Under the self-certification process, companies are required to publicly declare their commitment to comply with the data protection principles, and to make their privacy policies available and fully implement them. As part of their certification application, companies must submit information to the Department of Commerce, including the name of the relevant company, a description of the purposes for which the company will process personal data, the personal data that will be covered by the certification, the chosen verification method, the relevant independent recourse mechanism, and the statutory body that has jurisdiction to enforce compliance with the principles.

Notwithstanding the progress advanced by the Adequacy Decision, NOYB - European Center for Digital Rights, a non-profit organization based in Vienna, Austria, is poised to challenge the decision as it advances strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the ePrivacy Regulation, and information privacy in general.

Should you have any questions regarding certification under the EU-US Privacy Framework, its impacts on your business, or any compliance obligations it creates, please reach out to David A. Wheeler, Alfred C. Tam, Laura K. Russell, or your NGE attorney.


The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Please note that this publication should not be construed as legal advice or a legal opinion on any specific acts or circumstances. The contents of this publication are intended solely for general purposes, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you may have. The alert is not intended and should not be considered as a solicitation to provide legal services. However, the alert or some of its content may be considered advertising under the applicable rules of the supreme courts of Illinois and certain other states.