In March 2022, the European Union (“EU”) Commission and the United States (“US”) announced that they had agreed, in principle, on a new EU-US Data Privacy Framework (the “Framework”) to facilitate the transatlantic flow of EU personal data to the US. In October 2022, President Biden signed an Executive Order setting out the steps the US committed to undertake in preparation for the Framework. In December 2022, the EU Commission (“EC”) launched the process of adopting an adequacy decision. The draft concludes that the US ensures an adequate level of protection for personal data transferred from the EU to the US.
The Framework acts as an agreement between the EU and US which permits a data exporter to transfer EU personal data to the US, without the need to implement an additional transfer mechanism, such as the commonly used EU Standard Contractual Clauses (“SCCs”).
The EU prohibits the transfer of EU personal data to jurisdictions whose data protection regime is not deemed to be “adequate” in protecting the rights and privacy of individuals (including the US). Such transfers may only take place under an appropriate transfer mechanism deemed by the EU to adequately safeguard the personal data concerned.
The EU-US Privacy Shield was previously one of the transfer mechanisms deemed sufficient in providing adequate data protection for transatlantic data transfers. In 2020, the European Court of Justice ruled, in the case of Schrems II, that the EU-US Privacy Shield was an inadequate transfer mechanism due to concerns surrounding the ability of US intelligence agencies to intercept personal data and the lack of redress for EU data subjects.
the new framework
The steps taken under the Executive Order aim to address the issues identified in the Schrems II decision to ensure the new Framework is deemed adequate by:
- limiting access to EU personal data by US intelligence agencies to what is “necessary” and “proportionate” to protect US national security;
- enhancing the requirements for the handling of personal data collected by US intelligence agencies; and
- establishing a redress system for non-US persons to obtain an independent and binding review and redress of claims that personal data collected by US intelligence agencies is processed in violation of US privacy law.
Although the Executive Order authorises the implementation measures required under the new Framework, the EC must finalise the issuance of the formal adequacy decision to approve the Framework for use by organisations. The draft adequacy decision was transmitted to the European Data Protection Board (EDPB) for its opinion. The EC will need approval from a committee with representatives of the EU Member States, and the European Parliament has a right of scrutiny over the adequacy decision until its final adoption.
If the Framework is approved for use, organisations will not be required to put in place additional transfer mechanisms to safeguard the transfer of EU personal data to the US (such as, SCCs or Binding Corporate Rules), significantly reducing the burden on such organisations.
next steps for firms
We can assist you in identifying the appropriate transfer mechanism for your international data transfers and determine whether any transfer mechanisms you already have in place should be updated considering the new EU-US Data Privacy Framework.
For more information and guidance or advice on the EU-US Data Privacy Framework, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.