On July 10, the European Commission announced the adoption of its adequacy decision for the EU-US Data Privacy Framework. This decision provides another mechanism for US organizations to legitimately transfer data from the EU to the US.
3 Key Things to Know About The EU-US Adequacy Decision
Participating Entities Have Another Mechanism to Transfer Personal Data Between the EU and US.
Adequacy decisions are a tool under the General Data Protection Right (GDPR) which verifies that third-party counties have a comparable level of protection.
An adequacy decision allows personal data to flow freely and safely from the European Economic Area (EEA) to third countries. No further authorization is required, and no further conditions must be met.
The adequacy decision allows data transfers from any public or private entity in the EEA to US companies that are participating in the EU-US Data Privacy Framework.
To Participate, Entities Must Self-Certify.
The process will likely require entities to comply with a detailed set of privacy obligations. While these have not yet been confirmed, it is likely that some or all of the following privacy principles will be relevant:
- Purpose limitation.
- Data minimization.
- Data retention.
- Specific data security measures.
- Limited or restricted sharing of data with third parties.
Entities that were previously certified under (now struck down) Privacy Shield and entities looking to be certified for the first time can find more information about the registration process here: https://www.dataprivacyframework.gov/s/
Bear in mind that only companies that fall under the purview of the Federal Trade Commission are eligible. So, financial institutions and not-for-profits are excluded.
The Adequacy Decision Will Be Challenged in the European Courts.
The first thing to note about the EU-US adequacy decision is that NOYB intends to challenge the decision in the European Court of Justice (CJEU). NYOB is run by Max Schrems, the Austrian privacy lawyer who challenged the two previous mechanisms negotiated for EU-US data transfers – and had them both overturned.
NYOB’s blog post responding to the European Commission’s adequacy decision suggests that we should have clarity about the longevity of this decision by 2024 or 2025:
“It is not unlikely that a challenge would reach the CJEU by the end of 2023 or the beginning of 2024. The CJEU would then even have the option to suspend the “Framework” for the time of the procedure. A final decision by the CJEU would be likely by 2024 or 2025. No matter if such a challenge will be successful, this will bring clarity to the “Trans-Atlantic Data Privacy Framework” within about two years.” – NYOB blog post.
If you need assistance navigating privacy in the US, reach out. Our privacy attorneys would love to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.