Here We Go (Again?): Adequacy Granted for EU-U.S. Data Privacy Framework
For a moment there, a few weeks back, it looked like it might not happen. Yet despite an opinion advising against adequacy from the European Parliament Committee on Civil Liberties, Justice and Home Affairs in May, the EU Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (“Framework”) on July 10.
Wait, what is the Framework again?
Yes, it’s been a while. Here’s a quick refresher. The Data Privacy Framework is the replacement to the EU-U.S. Privacy Shield framework, which the Court of Justice of the European Union found to be an invalid cross-border data transfer mechanism in the (now infamous — at least in the privacy world) Schrems II decision in July 2020. The EU-U.S. Data Privacy Framework will now be a valid method to legally enable transfers of personal data from the EU to the U.S. under the GDPR. Note that it has taken almost three years to the day for the foundations of the new Framework to be developed and for the Framework to be granted adequacy.
What does this mean?
Businesses now have an alternative transfer mechanism available for EU to U.S. data transfers, which may ease the data transfer compliance burden. If you stuck with the EU-U.S. Privacy Shield Framework and kept your certification current, good news! You’ll be able to follow a simplified process to self-certify to the new Framework. All businesses that wish to use the new Framework for transferring EU personal data to the U.S. will need to self-certify with the U.S. Department of Commerce and comply with a set of privacy obligations, including a core set of principles.
Update: Guidance from the U.S. Department of Commerce
On July 11, the U.S. Department of Commerce issued guidance with information on next steps. Here’s a brief summary:
If your organization is still self-certified under the Privacy Shield:
You do not need to submit a separate self-certification. This is true for transfers to the U.S. from the EU/EEA and from Switzerland.
You can begin relying on the new Framework immediately for EU/EEA to U.S. data transfers.
For transfers from Switzerland to the U.S., you will not be able to rely on the new framework until the Swiss Federal Administration’s recognition of adequacy enters into force.
You DO need to update your privacy policy to follow the new EU-U.S. Data Privacy Framework principles by October 10, 2023.
For data transfers from Switzerland, you need to update your privacy policy to follow the new Swiss-U.S. Framework principles by October 17, 2023.
As of July 17, 2023, to log in to your account, you will need to access the new Framework website. Commerce says your existing credentials will work on the new site.
Don’t want to maintain your self-certification under the new Framework? You’ll need to formally withdraw following the established withdrawal process (see section (f) of the Supplemental Principle on Self-Certification).
What about the UK:
There is a UK Extension to the new Framework. Beginning July 17, 2023, organizations can self-certify compliance to the UK Extension. See the timing caveat in Note 2.
Note 1: If you want to self-certify to the UK Extension, you also have to self-certify to the EU-U.S. Framework.
Note 2: Organizations will not be able to rely on the UK Extension for data transfers until the UK adequacy regulations enter into force.
If you’re not currently self-certified under Privacy Shield and want to self-certify under the new Data Privacy Framework:
Starting on July 17, 2023, you can submit your initial self-certification with the Department of Commerce on their new Data Privacy Framework website. This applies for the new EU-U.S. Framework, Swiss-U.S. Framework, and UK Extension.
More information, please
Take a read through the EU Commission’s FAQs and info sheet for more details about the Framework and the adequacy decision. You can also read the adequacy decision itself here.
The U.S. Department of Commerce’s guidance can be found here.
Want to know more? Need help with self-certification or data transfers in general? Reach out at info@enlightenedprivacy.com.
Please note that this is not intended to be legal guidance.