European Commission Adopts an Adequacy Decision for a New EU-U.S. Data Privacy Framework

Epstein Becker & Green
Contact

Epstein Becker & Green

On July 10, 2023, the European Commission (“Commission”), which oversees and implements policies and laws of the European Union (“EU”), adopted an adequacy decision for the long-awaited EU-U.S. Data Privacy Framework (“EU-U.S. DPF”).

The EU-U.S. DPF replaces the EU-U.S. Privacy Shield Framework that was struck down by the Court of Justice of the EU in 2020.[1] As a result of the Commission’s adequacy decision for the EU-U.S. DPF, the transfer of personal data from the European Economic Area (“EEA”)[2] to U.S. businesses that participate in the EU-U.S. DPF will be permitted under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) even if the EEA exporter and U.S. importer participating in the EU-U.S. DPF do not put in place safeguards such as the EU Standard Contractual Clauses (which U.S. importers are often reluctant to do) or rely upon a derogation under GDPR, Art. 49 (which EEA exporters are often reluctant to do). 

U.S. businesses that wish to receive personal data from the EEA will be able to participate in the EU-U.S. DPF by attesting to compliance with a prescribed set of privacy principles addressing the following topics: notice; choice; accountability for onward transfer; data integrity and purpose limitation; access; and recourse, enforcement, and liability. The EU-U.S. DPF also requires compliance with a number of supplemental principles addressing topics such as sensitive data, self-certification, human resources data, contracts for onward transfers, and pharmaceutical and medical products. Many of the privacy principles and supplemental principles under the EU-U.S. DPF are nearly identical to the principles laid out in the previous EU-U.S. Privacy Shield Framework. Importantly, however, in a significant deviation from the EU-U.S. Privacy Shield Framework, the EU-U.S. DPF supplemental principle on pharmaceutical and medical products confirms that the transfer of key-coded research data will be subject to the EU-U.S. DPF as a transfer of personal data.

The process to self-certify and recertify under the new EU-U.S. DPF is substantively similar to the process established under the previous EU-U.S. Privacy Shield Framework. Moreover, U.S. businesses that have already self-certified under the previous EU-U.S. Privacy Shield Framework will be able to self-certify under the new EU-U.S. DPF via a simplified procedure.

As was the case with the EU-U.S. Privacy Shield Framework, the U.S. Department of Commerce is charged with administering and monitoring participation in the EU-U.S. DPF. The Federal Trade Commission (“FTC”) will enforce compliance with the EU-U.S. DPF through Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.

Although the Commission’s adequacy decision marks a milestone for U.S. businesses engaging in cross-border data transfers with EEA-based entities, the EU-U.S. DPF is available only to U.S. businesses that are subject to the authority of the FTC. This generally means that most U.S. nonprofit organizations, such as nonprofit hospitals, health systems, or universities, cannot avail themselves of the EU-U.S. DPF. 

In short, the new EU-U.S. DPF may be an attractive option for U.S. pharmaceutical and medical device companies, and other U.S. businesses, that find the EU Standard Contractual Clauses onerous and unpalatable and want a more expedient way to transfer personal data out of the EEA. Participation in the EU-U.S. DPF is not without its own burdens and risks, however, given the implementation steps required to self-certify and the agency compliance monitoring and enforcement provisions associated with participation. Participation in the EU-U.S. DPF also does not obviate the need for the participating company to enter onward transfer agreements with third parties to which it further transfers the personal data or eliminate the requirement to enter data processing agreements with such third parties that are processors.

Organizations that are not eligible to participate in the EU-U.S. DPF may nonetheless rely on the safeguards contained in President Biden’s Executive Order 14086 and in the U.S. Attorney General’s Regulation on the Data Protection Review Court, which were developed in facilitation of the EU-U.S. DPF but which apply to all transfers of personal data to the United States under the GDPR, to support their use of other transfer mechanisms such as the EU Standard Contractual Clauses. The U.S. Department of Commerce will launch an EU-U.S. DPF website (www.dataprivacyframework.gov) on July 17, 2023.

ENDNOTES

[1] Data Protection Commissioner v. Facebook Ireland, Ltd. and Maximillian Shrems (Case C-311/18, ECLI:EU:C:2020:559 (July 16, 2020)).

[2] The EEA comprises the following countries: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Epstein Becker & Green

Written by:

Epstein Becker & Green
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Epstein Becker & Green on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide