European Union and United States Reach New Agreement for Data Flow Across the Atlantic
On July 10, 2023, the EU Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding that the United States ensures an adequate level of protection for personal data transferred from the European Union to companies in the United States participating in the EU-U.S. Data Privacy Framework.
An adequacy decision is one of the tools provided by the General Data Protection Regulation ("GDPR") to transfer personal data from the European Union ("EU") to third countries.
The adequacy decision follows the signature of Executive Order 14086 on "Enhancing Safeguards for United States Signals Intelligence Activities" ("EO 14086") by President Biden in October 2022 (please see our Alert). EO 14086 outlined the new measures implemented by the United States to address the gaps identified by the Court of Justice of the EU in its Schrems II decision of July 2020 (please see our Commentary).
In practice, the new Framework:
- Allows EU companies to transfer personal data to U.S. companies that have self-certified to the Framework through a dedicated website, without having to implement other safeguards (e.g., EU Standard Contractual Clauses);
- Requires U.S. companies to comply with privacy obligations, such as privacy principles (e.g., purpose limitation and data minimization) and data security;
- Sets limitations and safeguards regarding access to personal data by U.S. intelligence agencies. In particular, EO 14086 provides (i) binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security; (ii) enhanced oversight of activities by U.S. intelligence services; and (iii) a new Data Protection Review Court to investigate and resolve complaints regarding access to personal data;
- Provides EU individuals with new rights (e.g., access to their personal data) and redress avenues (e.g., a free-of-charge independent dispute resolution mechanism);
- Will be administered by the U.S. Department of Commerce, as it will process applications for self-certification and monitor whether participating companies continue to meet the self-certification requirements; and
- Will be enforced by the U.S. Federal Trade Commission.
These safeguards apply to all data transfers under the GDPR to companies in the United States, regardless of the transfer tool used, and will also facilitate transfers under EU Standard Contractual Clauses ("SCCs") and Binding Corporate Rules.
The adequacy decision applies starting from its entry into force, i.e., July 10, 2023. Companies that are currently relying on other transfer tools (such as SCCs) for transfers to the United States will have to consider whether they want to self-certify with the new Framework (as their sole or additional transfer tool), depending on the complexity of the U.S. transfers and the companies' global transfer strategy. Companies that have maintained their EU-U.S. Privacy Shield self-certification will not need to make a separate self-certification to the new Framework and may begin relying on it immediately, provided they comply with the Framework's principles and update their privacy policies by October 10, 2023.