On July 10, 2023, the European Commission (EC) adopted its long-awaited adequacy decision for the United States, resulting in the new EU-U.S. Data Privacy Framework (DPF or Framework). For more information, see our European Commission Adopts EU-U.S. Adequacy Decision blog post.
Qualified Adequacy Decision for the United States. Typically, EC adequacy decisions automatically apply to businesses established in the country in question—because that country’s data protection regime is deemed by the EC to be “essentially equivalent” to that of the European Union. However, the result of years of negotiations between U.S. and EC trade officials in this case is a qualified finding of adequacy for the United States. This means that U.S. companies must first self-certify their adherence to the new EU-U.S. Data Privacy Framework in order to lawfully receive EU data subjects’ personal data for processing. For U.S. businesses that do not participate in the Framework, another data transfer mechanism established under Chapter 5 of the EU General Data Protection Regulation must be utilized to ensure a lawful cross-border transfer.
New DPF Framework Website Is Live – For Use by New Participants and Former Privacy Shield Companies. Starting July 17, 2023, the new Framework website is live. U.S. companies that continued to participate in the EU-U.S. Privacy Shield Framework have been automatically enrolled in the Framework. Such U.S. businesses must nonetheless ensure they comply with the new, modified Framework Principles effective immediately and update references to the Framework in their Privacy Policy by Oct. 10, 2023. Such participants must also use the Framework website to re-certify their adherence to the Principles in advance of the time of their next scheduled annual re-certification.
U.S. companies that never self-certified, or no longer are self-certified, under the Privacy Shield program may follow the steps outlined on the Framework website to self-certify their adherence to the Principles, register independent recourse mechanisms as appropriate, and correspond as needed with DPF program representatives.
Applicability to UK and Swiss Data Exports. Beginning July 17, 2023, U.S. companies joining or remaining in the Framework may also self-certify their adherence to either or both the United Kingdom Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF, but U.S. companies may not begin relying on those frameworks as lawful transfer mechanisms until those countries’ own respective U.S. adequacy decisions are announced, which is anticipated in the near future.
DPF Webinar. On Tuesday, Aug. 15, members of Greenberg Traurig’s Data Privacy & Cybersecurity team will host a complimentary webinar to discuss the practical implications of the adequacy decision and Framework. Please click here for more information and to register for the webinar (and to receive the slides and on-demand access afterwards).