[co-author: Cynthia Murieta¹, Summer Associate]

After years of uncertainty in the privacy rules governing transfer of data from the EU to the U.S., the new transatlantic data privacy framework has finally been adopted. On July 10, the European Commission formally adopted its adequacy decision for the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”).

At its core, the adequacy decision facilitates the transfer of personal data from the EU to third countries. The decision concludes that the U.S. ensures an adequate level of protection – compared to that of the EU – for EU personal data transferred from the EU to U.S. companies participating in the EU-U.S. DPF, provided certain conditions are satisfied.²

The new process will rejuvenate a self-certification system for lawful transfer of EU personal data to the U.S. from the EU in addition to the other lawful transfer mechanisms, such as Standard Contractual Clauses. U.S. companies who are subject to the General Data Protection Regulation (the “GDPR”) will be able to join the EU-U.S. DPF by committing to comply with a detailed set of privacy obligations to receive EU personal data without having to put in place additional transfer safeguards. Companies currently self-certified under the EU-U.S. Data Privacy Shield Framework will have access to a simplified procedure for self-certification under the EU-U.S. DPF.

The EU-U.S. DPF will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of EU data protection authorities and competent U.S. authorities. The first review will take place within a year of entry into force of the EU-U.S. DPF, in order to verify that all relevant elements have been fully implemented in the U.S. legal framework and are functioning effectively in place.

More information about the EU-U.S. DPF and the self-certification process is expected to be announced on the U.S. Department of Commerce’s new Data Privacy Framework website.³ Organizations should consider reaching out to legal counsel to better understand the legal ramifications of the EU-U.S. DPF or for assistance in the self-certification process.

Footnotes:

1. Snell & Wilmer 2023 summer associate Cynthia Murrieta provided material assistance in the production of this article. Cynthia Murrieta is not a licensed attorney.

2. See Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-U.S. data flows (July 10, 2023), https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 .

3. See U.S. Department of Commerce’s Data Privacy Framework (July 11, 2023), https://www.dataprivacyframework.gov/s/.