The European Union (“EU“) and the United States (“U.S.“) came to an agreement regarding an agreed-upon mechanism for transatlantic data exchanges: the EU-U.S. Data Privacy Framework (the “Data Privacy Framework“). Put simply, U.S. companies may now rely on the Data Privacy Framework to demonstrate compliance with the rigorous requirements of EU privacy laws. The Data Privacy Framework is a breath of relief for entities who used to rely on the Privacy Shield Framework, which the Court of Justice of the European Union (“CJEU“) invalidated on July 16, 2020 because it did not include sufficient privacy protections for EU data.
Overview of the EU-U.S. Data Privacy Framework: ‘Privacy Shield 2.0’
On July 10, 2023, the European Commission (the “Commission“) adopted an adequacy decision for the Data Privacy Framework, affirming its view that the strengthened protections in U.S. laws meet EU legal requirements. In particular, the Commission determined that the Data Privacy Framework addresses all concerns raised by the CJEU, including access to EU data by U.S. intelligence services, a new redress mechanism for EU citizens, and amended privacy principles to meet the EU legal requirements. The adequacy decision became effective with its adoption on July 10, 2023.
Is the Data Privacy Framework in Final Form?
Not quite. The Commission will continuously review relevant developments in the United States and regularly consider the validity of the adequacy decision. The first review will take place on July 10, 2024 to verify whether all relevant elements of the Data Privacy Framework are effective in their application. Subsequently, and depending on the results of the initial review, the Commission will determine, in consultation with the EU Member States and data protection authorities, on the frequency of future reviews, which would take place at least every four (4) years.
Who is in Charge of Oversight and Enforcement?
The Data Privacy Framework will be administered by the Department of Commerce, which will process applications for certification and monitor whether participating entities continue to meet the requisite certification requirements. As with the Privacy Shield Framework, the U.S. Federal Trade Commission will enforce compliance with the new framework.
How Does a Company Become Certified?
U.S. entities will be able to pursue self-certification under the Data Privacy Framework by committing to comply with the EU-U.S. Data Privacy Framework Principles, without having to put in place additional transfer safeguards. According to the Department of Commerce, which is charged with administration and oversight of the Data Privacy Framework, the EU-U.S. Data Privacy Framework Principles and the process to self-certify and re-certify annually under the Data Privacy Framework will remain substantially similar as those under the defunct Privacy Shield Framework. Entities currently self-certified under the Privacy Shield Framework will have access to a simplified procedure for self-certification under the new Data Privacy Framework.
For More Information
Learn more by reviewing the Commission’s Fact Sheet and Questions & Answers regarding the Data Privacy Framework. If you have any questions about this article, please contact firstname.lastname@example.org or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This article has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For specific legal advice regarding the Data Privacy Framework and its implications, please consult a qualified legal professional.