To the relief of tech giants, on July 10, 2023, the U.S. and European Union (EU) finally agreed on a mechanism for international data transfer to replace the Privacy Shield, which had been invalidated in 2020 by the European Court of Justice. Following that court decision, the U.S. and the EU engaged in a lengthy process of creating a new framework that the EU would find adequate to protect EU personal information and allow a safe harbor for the transfer of such information to the U.S. During this interim period businesses that move data from Europe to the U.S. were in limbo and had to rely on alternative mechanisms, including “standard contractual clauses,” which are themselves the subject of a challenge in the EU.
New Adequacy Decision
Following this lengthy process, the EU has now concluded that the new EU-U.S. Data Privacy Framework (“DPF”) adequately protects EU personal data. This “adequacy decision,” effective July 10 enables the transfer of EU personal data to participating organizations consistent with EU law. Effective July 17, 2023, a similar framework is in place between the U.S. and both the UK and Switzerland.
The most contentious issue had been the access and use of personal data by U.S. public authorities and the lack of an adequate redress mechanism. In October, 2022 President Biden issued an Executive Order focusing on “signals intelligence” (that is, intelligence derived from electronic signals and systems), limiting such data collection to specifically defined situations and creating a two-tier redress system, with a new Data Protection Review Court as the second level.
In order to participate in the DPF, U.S. companies importing personal data from the EU need to self-certify and publicly commit to compliance with the Data Privacy Framework (DPF) Principles. These enforceable privacy obligations include, for example, limitation of data collection and retention to what is necessary for the purpose, allowing EU citizens access to their data and the right to correction or deletion of incorrect or unlawfully handled data. There also must be mechanisms for redress, including free of charge independent dispute resolution mechanisms and an arbitration panel.
The self-certification process is similar to the one that existed for the Privacy Shield. The U.S. Department of Commerce will process applications for certification and monitor whether participating companies continue to meet the certification requirements. Compliance by U.S. companies will be enforced by the U.S. Federal Trade Commission.
Organizations that had self-certified under the Privacy Shield that wish to participate in the new program do not need to go through the new self-certification process. They will have three months from the effective date of the adequacy decision (until October 10, 2023 or, in the case of the UK and Switzerland, October 17, 2023) to update their website privacy policies to change references to the Privacy Shield to the “EU-US Data Privacy Framework Principles” and to revise the language to comply with the new obligations. The Department of Commerce website provides sample language. An organization that does not wish to participate in the new program needs to go through a withdrawal process.
Not everyone agrees with the EU determination of adequacy. Max Schrems, the privacy activist who brought down the Privacy Shield, has already indicated his intention to challenge the new framework as lacking a redress mechanism for non-U.S. citizens. As a result international data transfer may again be thrown into limbo.
Compounding the core problem is the fact that the U.S. does not have a comprehensive federal privacy law that could assure basic protections for personal data comparable to what the EU has enacted in GDPR. There are privacy laws at the state level, however, and there is some suggestion that the EU data authorities may collaborate with California, which has the most advanced state law, to develop a more comprehensive plan.