EU Adopts the EU-U.S. Data Privacy Framework 

July 11, 2023

The European Union (EU) announced on July 10 that it had formally adopted the adequacy decision for the EU-U.S. Data Privacy Framework, which goes into effect on July 11. U.S. organizations have been without a self-certification mechanism to allow for the legal transfer of personal data from the EU to the United States since the Schrems II decision by the European Court of Justice (ECJ) striking down the EU-U.S. Privacy Shield Program in July 2020. 

The new EU-U.S. Data Privacy Framework puts in place additional procedural protections for data subjects in the EU in connection with U.S. national security investigations in order to address the causes of the ECJ’s decision to overturn the Privacy Shield. Since the Schrems II decision, companies seeking to transfer EU personal data to the United States (which includes accessing data from the United States, even if the data is actually stored in Europe) have labored under a cloud of legal uncertainty, often relying on Standard Contractual Clauses buttressed with an onerous combination of data transfer impact assessments and supplementary protective measures (such as encryption). The EU-U.S. Data Privacy Framework is intended to streamline the legal requirements for data transfers by serving as an alternative legal transfer mechanism to the Standard Contractual Clauses, although it is certain to be challenged by the same privacy activists responsible for the Schrems II decision. Commercial entities' obligations under the new framework will be largely the same as those under the former Privacy Shield.

As with Privacy Shield, U.S. organizations will need to publish a privacy policy that conforms to the Data Privacy Framework requirements, identify an independent recourse mechanism for data subjects to file complaints through the use of an ITA-approved third-party arbitration service, and self-certify through the U.S. International Trade Administration’s (ITA) Data Privacy Framework website. Unfortunately, the early release of the website is generating errors, and the ITA may have been caught off guard by the EU’s announcement.

Share on LinkedIn

Authors

Christopher Dodson

Member

[email protected]

(215) 665-2174

Andrew Baer

Chair, Technology, Privacy & Data Security

[email protected]

(215) 665-2185

Related Practices


Organizations wishing to enroll in the new Data Privacy Framework are encouraged to contact Andrew Baer or Christopher Dodson from Cozen O’Connor’s Technology, Privacy & Data Security practice group.