EU Adopts the EU-U.S. Data Privacy Framework

Andrew Baer, Christopher Dodson
Cozen O'Connor
Contact
LinkedIn
Facebook
X
Send
Embed

Cozen O'Connor

The European Union (EU) announced on July 10 that it had formally adopted the adequacy decision for the EU-U.S. Data Privacy Framework, which goes into effect on July 11. U.S. organizations have been without a self-certification mechanism to allow for the legal transfer of personal data from the EU to the U.S. since the Schrems II decision by the European Court of Justice (ECJ) striking down the EU-U.S. Privacy Shield Program in July 2020.

The new EU-U.S. Data Privacy Framework puts in place additional procedural protections for data subjects in the EU in connection with U.S. national security investigations in order to address the causes of the ECJ’s decision to overturn the Privacy Shield. Since the Schrems II decision, companies seeking to transfer EU personal data to the U.S. (which includes accessing data from the U.S., even if the data is actually stored in Europe) have labored under a cloud of legal uncertainty, often relying on Standard Contractual Clauses buttressed with an onerous combination of data transfer impact assessments and supplementary protective measures (such as encryption). The EU-U.S. Data Privacy Framework is intended to streamline the legal requirements for data transfers by serving as an alternative legal transfer mechanism to the Standard Contractual Clauses, although it is certain to be challenged by the same privacy activists responsible for the Schrems II decision. Commercial entities' obligations under the new framework will be largely the same as those under the former Privacy Shield.

As with Privacy Shield, U.S. organizations will need to publish a privacy policy that conforms to the Data Privacy Framework requirements, identify an independent recourse mechanism for data subjects to file complaints through the use of an ITA-approved third-party arbitration service, and self-certify through the U.S. International Trade Administration’s (ITA) Data Privacy Framework website. Unfortunately, the early release of the website is generating errors, and the ITA may have been caught off guard by the EU’s announcement.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:

Cozen O'Connor
Cozen O'Connor
Contact
more
less

Cozen O'Connor on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide