On July 10, 2023, the European Commission (the “Commission”) adopted an adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”).

The Framework provides companies that opt in with a legitimate means of transferring data subject to the European Union’s (“EU”) General Data Protection Regulation from the European Economic Area (“EEA”) to the United States. Now that it has the Commission’s approval, the negotiated Framework takes immediate effect, putting companies that opt in and comply on firmer footing. At least as long as the Framework holds.

Despite all the optimism, privacy activist and lawyer Maximillian Schrems (best known for successfully challenging two earlier EU-U.S. cross-border data sharing frameworks) has reservations. “They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield[,]’ the latest deal is not based on material changes, but by political interests,” Schrems is quoted as saying. “We [have] now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ — but no substantial change in US surveillance law.”

Building on Past Decisions

First came the EU-U.S. Safe Harbor Principles, a mechanism that was struck down by the Court of Justice of the European Union (the “CJEU”) in the Schrems I decision¹ in 2015. Then came the EU-U.S. Privacy Shield, which fell in Schrems II² in 2020.

The presently adopted Framework is intended to address the concerns raised by the CJEU in those earlier decisions. Specifically, the Framework grants EU individuals the right to obtain access to their data and to correct or delete inaccurate data. Additionally, those individuals have a new means of challenging access to their personal information by U.S. intelligence agencies when such access is not necessary and proportionate to U.S. national security interests. EU residents must first submit a complaint to their national (European) data protection authority about the potential use of their data by U.S. intelligence agencies. The complaint is then transferred to a Civil Liberties Protection Officer of the U.S. intelligence community for investigation and initial decision. Appeal through an independent Data Protection Review Court is also available.

Opt-In Required

To conduct transfers from the EEA to the U.S. under the Framework, an organization must publicly declare its commitment to abide by the Framework and implement its principles.

Additionally, an organization must submit an application to the U.S. Department of Commerce with a description of the personal data that will be processed under the Framework, the purpose of that processing, the organization’s privacy policy, the chosen verification method, and the applicable independent recourse mechanism and statutory body to enforce compliance with the Framework.

The Framework also requires verification that an organization is upholding its obligations. Organizations may choose to either self-assess compliance or secure an outside compliance review. While the U.S. Department of Commerce will coordinate the Framework certification program, the U.S. Department of Justice and Federal Trade Commission will enforce it.

Concerns Remain

In the absence of an adequacy decision, companies transferring data from the EEA to the U.S. have had to rely on safeguards deemed adequate to protect individuals’ rights to their personal data, which are typically secured through standard contractual clauses (“SCCs”) drafted by the Commission. Even when using SCCs, companies have incurred substantial fines, including a record-breaking $1.3 billion fine levied against Meta in May.

While the Framework is intended to address the issues raised by past CJEU decisions, Schrems’ non-profit group NOYB has said that it is waiting in the wings, preparing to challenge the decision.

What This Means for You

Companies that transfer EU personal data to the U.S. should be aware that opting in and complying with the Framework is a means of legally transferring EU personal data to U.S.-based affiliates, contractors, or service providers.

V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.

¹ Case C-362/14, Schrems v Data Prot. Comm’r, ECLI:EU:C:2015:650 (Oct. 6, 2015).

² Case C-311/18, Data Prot. Comm’r v Facebook Ir. Ltd., ECLI:EU:C:2020:559 (July 16, 2020).