European Commission Adopts EU-U.S. Data Privacy Framework Adequacy Decision
On July 10, 2023, the European Commission adopted an adequacy decision regarding the EU-U.S. Data Privacy Framework (Framework). The adequacy decision procedure was established by the European Union’s (EU) General Data Protection Regulation (GDPR) to create a legal mechanism by which to permit the transfer of personal data from the EU to non-EU countries. In essence, an adequacy decision means that the European Commission has determined that a country—in this case the U.S.—offers an adequate level of protection to personal data comparable to that of the EU.
Going forward, U.S. companies that self-certify to the Framework, which will be administered by the U.S. Department of Commerce, will be able to freely transfer personal data to and from the EU. In order to self-certify to the Framework, U.S. companies will be required to commit to comply with a detailed set of privacy obligations and make the required certifications to the U.S. Department of Commerce. The privacy obligations are expected to include requirements around purpose limitation, data minimization, data retention, as well as specific obligations concerning data security and the sharing of data with third parties. Further, like its predecessor the U.S. Privacy Shield, compliance with these requirements will be enforced by the U.S. Federal Trade Commission.
Although the adequacy decision is now in effect, the European Commission will continuously monitor relevant developments in the U.S. and regularly review the adequacy decision. The first review will take place by July 10, 2024.
Now that the adequacy decision has been finalized, the U.S. Department of Commerce will (i) provide information on how U.S. businesses that currently are not covered under the Privacy Shield can self-certify to the new Framework, and (ii) provide guidance to those companies that continued to adhere to the Privacy Shield Principles during the past three years. More information, as well as the certification, can be found on the recently created Data Privacy Framework website, which will likely be fully functional in the coming days.
***
Wiley’s Privacy, Cyber & Data Governance Team has helped companies of all sizes from various sectors proactively address risks and comply with new privacy laws and requirements. Please contact Joan Stewart (jstewart@wiley.law) or Tyler Bridegan (tbridegan@wiley.law) with any questions.