The European Commission published a very significant adequacy decision last week, which is expected to facilitate transfers of personal information from Europe to the United States. The decision came as part of the Commission’s official recognition of a revised arrangement (the EU-US Data Privacy Framework) meant to provide protection of personal data at a level on par with the EU’s General Data Protection Regulation (GDPR).

This new adequacy decision means that American companies registered and recognized under the new DPF Program will be able to benefit from this recognition and transfer personal information from Europe to the United States without the restrictions that existed up until now. This is provided they assume enhanced obligations beyond the level prescribed in current US legislation.

The New DPF Program and SCCs

The adequacy of privacy protection when transferring data from the European Union to the United States under the GDPR has been examined several times. Inter alia, the Court of Justice of the European Union () examined it due to its concerns about the level of protection of personal information in the United States, particularly regarding the ability of American intelligence agencies to access such information. In 2020, the CJEU invalidated the Privacy Shield mechanism that allowed the transfer of personal information between the EU and the US up until then. This ruling, known as Schrems II, emphasized that companies must verify the legal situation in the recipient country of the data transfer and the requisite safeguards during data transfers. The CJEU ruled that reliance solely on the standard contractual clause (SCC) mechanism is insufficient to demonstrate compliance with the regulatory provisions. Other European regulatory authorities also adopted this ruling. This past May, the Irish Data Protection Commission fined Meta a whopping EUR 1.2 billion fine for violations of the GDPR, citing that the company transferred data from Europe to the United States without an adequate legal arrangement and failed to implement sufficient measures to ensure an adequate level of protection for the information transferred and stored in the United States.

The new adequacy decision improves the previous Privacy Shield arrangement and addresses the concerns raised by the CJEU in the previous round. Inter alia, the new adequacy decision significantly restricts the ability of American intelligence agencies to gain access to personal information of EU citizens. It also grants rights of redress to EU citizens, including dispute resolution mechanisms and access to a new, independent tribunal, the Data Protection Review Court (the DPRC).

Registration for the new EU-US Data Protection Framework Program entails numerous obligations. Inter alia, companies and corporations joining the DPF Program must commit to complying with the following standards:

1. Transparency regarding processing of personal information
2. Data security
3. Granting users rights relating to information, including the right of access
4. Credibility and accuracy of the information
5. Accountability of the organization (inter alia, in relation to procedures and enforcement programs)

There is no certainty if the new arrangement will remain in effect over time, or if it will eventually be invalidated like the previous two arrangements. Undoubtedly, however, this is important news, providing short-term relief for a legal issue that has negatively impacted many global companies.

Next Steps

Companies interested in registering for the new DPF Program, while committing to strict privacy and data security standards, may do so using the dedicated page (link). However, it is important to note that this new mechanism is subject to annual review and that, in essence, it allows the unrestricted transfers of information only to American companies that have joined the DPF Program.

It is also important to note that if a company joins the DPF Program but fails to comply with the requisite standards, it is risking enforcement proceedings and fines, since the Federal Trade Commission (FTC) is responsible for enforcing the program.

Companies that choose not to register for the new DPF Program will be able to transfer information from Europe to the United States under the existing GDPR provisions, including by way of the SCC mechanism, provided they perform data transfer impact assessments (DTIAs) and adopt the additional data security measures, as required.

Israeli (or European) companies using suppliers in the US to process or store information will be able to rely on the suppliers’ registration for the new DPF Program, without needing a contractual arrangement, such as the SCCs, and without being required to perform DTIAs prior to transferring the information.

Operative Recommendations

Companies should carefully review all details of the DPF Program and ascertain, considering each company’s particular privacy practices, if it is preferable, at this stage, to rely on the new DPF Program and register for it, or, alternatively, to continue relying on the existing arrangements for transatlantic data transfers. Companies and corporations that do decide to register for the new DPF Program must update their data privacy agreements (DPAs) to ensure compliance. They must also examine their data transfer procedures, whether for intercompany transfers within the same group or transfers to external companies and suppliers. 

We recommend that companies with suppliers in the United States also review and amend their data transfer agreements with the suppliers and prioritize, to the extent possible, the use of suppliers in the United States that have registered for the new DPF Program. This will thus help such companies avoid the requirement to sign SCCs and perform individual DTIAs in relation to the data transfers.

[View source.]