European Commission Adopts Adequacy Decision for Transatlantic Data Privacy Framework
July 12, 2023
By Aloke S. Chakravarty, James P. Melendres, Tony Caldwell and Cynthia Murrieta1
After years of uncertainty in the privacy rules governing transfer of data from the EU to the U.S., the new transatlantic data privacy framework has finally been adopted. On July 10, the European Commission formally adopted its adequacy decision for the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”).
At its core, the adequacy decision facilitates the transfer of personal data from the EU to third countries. The decision concludes that the U.S. ensures an adequate level of protection – compared to that of the EU – for EU personal data transferred from the EU to U.S. companies participating in the EU-U.S. DPF, provided certain conditions are satisfied.2
The new process will rejuvenate a self-certification system for lawful transfer of EU personal data to the U.S. from the EU in addition to the other lawful transfer mechanisms, such as Standard Contractual Clauses. U.S. companies who are subject to the General Data Protection Regulation (the “GDPR”) will be able to join the EU-U.S. DPF by committing to comply with a detailed set of privacy obligations to receive EU personal data without having to put in place additional transfer safeguards. Companies currently self-certified under the EU-U.S. Data Privacy Shield Framework will have access to a simplified procedure for self-certification under the EU-U.S. DPF.
The EU-U.S. DPF will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of EU data protection authorities and competent U.S. authorities. The first review will take place within a year of entry into force of the EU-U.S. DPF, in order to verify that all relevant elements have been fully implemented in the U.S. legal framework and are functioning effectively in place.
More information about the EU-U.S. DPF and the self-certification process is expected to be announced on the U.S. Department of Commerce’s new Data Privacy Framework website.3 Organizations should consider reaching out to legal counsel to better understand the legal ramifications of the EU-U.S. DPF or for assistance in the self-certification process.
Snell & Wilmer 2023 summer associate Cynthia Murrieta provided material assistance in the production of this article. Cynthia Murrieta is not a licensed attorney.
See Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-U.S. data flows (July 10, 2023), https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 .
See U.S. Department of Commerce’s Data Privacy Framework (July 11, 2023), https://www.dataprivacyframework.gov/s/.
©2024 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.