Update of an article initially published on 18 August 2023
On 10 July 2023, the European Commission adopted a new adequacy decision establishing the EU-US Data Privacy Framework. The Commission established in its decision that the United States ensures an adequate level of protection, pursuant to Article 45 GDPR, for personal data transferred from the European Economic Area to organisations in the US that are included in the “Data Privacy Framework List”, which is maintained and made public by the US Department of Commerce. Organisations that wish to transfer personal data to the US under the Data Privacy Framework are obliged to verify whether the data importer is self-certified and included on the list.
This adequacy decision replaces the former adequacy decision establishing the EU-US Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in a resounding judgment of 16 July 2020 (Schrems II judgment).
Based on the new adequacy decision, personal data can henceforth flow “securely” from the EEA to self-certified US organisations participating in the Data Privacy Framework without the organisations having to implement additional technical, organisational or contractual safeguards and measures to protect personal data.
The adequacy decision was adopted on 10 July 2023 and is immediately applicable. Companies that were self-certified under the EU-US Privacy Shield are also automatically self-certified under the Data Privacy Framework (provided they take certain actions by October 2023).
The question remains how long this adequacy decision will stand. Max Schrems’ privacy organisation (NOYB – None Of Your Business) has already indicated that it will challenge the new adequacy decision, but it has been outrun by Philippe Latombe, a French member of the European Parliament and commissioner of the French data protection authority (CNIL), who became the first to challenge the adequacy decision before the General Court. In his press release, Latombe expressed concerns regarding the insufficient protection of personal data, the violation of rights of Europeans and the lack of compliance with procedural language rules (based on Article 264 TFEU). However, the General Court recently dismissed his application seeking interim measures to suspend the EU-US Data Privacy Framework. Latombe failed to prove the urgency of his application and serious and irreparable harm raised by the EU-US Data Privacy Framework.
This is why it might be advisable for organisations to still include a fall-back mechanism with Standard Contractual Clauses in case of long-term data sharing agreements.