On July 10, 2023, the European Commission (EC) adopted its long-awaited adequacy decision for the United States, resulting in the new EU-U.S. Data Privacy Framework (DPF or Framework). For more information, see our European Commission Adopts EU-U.S. Adequacy Decision blog post.
Qualified Adequacy Decision for the United States. Typically, EC adequacy decisions automatically apply to businesses established in the country in question—because that country’s data protection regime is deemed by the EC to be “essentially equivalent” to that of the European Union. However, the result of years of negotiations between U.S. and EC trade officials in this case is a qualified finding of adequacy for the United States. This means that U.S. companies must first self-certify their adherence to the new EU-U.S. Data Privacy Framework in order to lawfully receive EU data subjects’ personal data for processing. For U.S. businesses that do not participate in the Framework, another data transfer mechanism established under Chapter 5 of the EU General Data Protection Regulation must be utilized to ensure a lawful cross-border transfer.
U.S. companies that never self-certified, or no longer are self-certified, under the Privacy Shield program may follow the steps outlined on the Framework website to self-certify their adherence to the Principles, register independent recourse mechanisms as appropriate, and correspond as needed with DPF program representatives.
Applicability to UK and Swiss Data Exports. Beginning July 17, 2023, U.S. companies joining or remaining in the Framework may also self-certify their adherence to either or both the United Kingdom Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF, but U.S. companies may not begin relying on those frameworks as lawful transfer mechanisms until those countries’ own respective U.S. adequacy decisions are announced, which is anticipated in the near future.
DPF Webinar. On Tuesday, Aug. 15, members of Greenberg Traurig’s Data Privacy & Cybersecurity team will host a complimentary webinar to discuss the practical implications of the adequacy decision and Framework. Please click here for more information and to register for the webinar (and to receive the slides and on-demand access afterwards).