On July 10, 2023, the European Commission adopted its long-awaited adequacy decision on the EU-U.S. Data Privacy Framework (the “Framework”) thereby concluding that the United States ensures an adequate level of protection for personal data that are transferred from the European Union to companies in the U.S. that participate in the Framework.
The Framework replaces the EU-U.S. Data Privacy Shield that was previously invalidated by the Court of Justice of the European Union (CJEU) in its Schrems II judgment on July 16, 2020. Privacy Shield replaced the previous EU-U.S. agreement known as Safe Harbor (from 2000), which was invalidated by the CJEU in its Schrems I judgment on October 6, 2015. Given this history, it seems likely the Framework will be challenged in the near future, and it remains to be seen whether the new data safeguards for European Economic Area (EEA) individuals under the Framework will be regarded sufficient by the CJEU.
The Framework serves as an additional data transfer tool under the EU General Data Protection Regulation (GDPR) and allows entities from the EEA to transfer personal data to U.S. companies that are included in the ‘Data Privacy Framework List’, maintained by the U.S. Department of Commerce.
Therefore, when transferring data to U.S. companies on the Data Privacy Framework List, EEA entities will no longer need to rely on standard contractual clause, binding corporate rules or other safeguards or derogations listed in Article 49 GDPR, but will now be able to use the Framework as an alternative data transfer mechanism. The same will be true for onward transfers of EEA personal data from one U.S- based company, that is subject to the GDPR under Article 3, to another U.S. company on the Data Privacy Framework List.
An essential element of the Framework concerns the Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ that was signed by President Biden in October 2022 to enhance and safeguard the rights of EEA individuals whose data are being transferred to the U.S. For this purpose, the Executive Order together with accompanying regulations adopted by the U.S. Attorney General limit access to EEA personal data by U.S. intelligence authorities and establish a new two-layer redress mechanism to handle and resolve complaints from EEA individuals.