On July 10, 2023, the European Commission (“Commission”), which oversees and implements policies and laws of the European Union (“EU”), adopted an adequacy decision for the long-awaited EU-U.S. Data Privacy Framework (“EU-U.S. DPF”).
The EU-U.S. DPF replaces the EU-U.S. Privacy Shield Framework that was struck down by the Court of Justice of the EU in 2020.[1] As a result of the Commission’s adequacy decision for the EU-U.S. DPF, the transfer of personal data from the European Economic Area (“EEA”)[2] to U.S. businesses that participate in the EU-U.S. DPF will be permitted under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) even if the EEA exporter and U.S. importer participating in the EU-U.S. DPF do not put in place safeguards such as the EU Standard Contractual Clauses (which U.S. importers are often reluctant to do) or rely upon a derogation under GDPR, Art. 49 (which EEA exporters are often reluctant to do).
U.S. businesses that wish to receive personal data from the EEA will be able to participate in the EU-U.S. DPF by attesting to compliance with a prescribed set of privacy principles addressing the following topics: notice; choice; accountability for onward transfer; data integrity and purpose limitation; access; and recourse, enforcement, and liability. The EU-U.S. DPF also requires compliance with a number of supplemental principles addressing topics such as sensitive data, self-certification, human resources data, contracts for onward transfers, and pharmaceutical and medical products. Many of the privacy principles and supplemental principles under the EU-U.S. DPF are nearly identical to the principles laid out in the previous EU-U.S. Privacy Shield Framework. Importantly, however, in a significant deviation from the EU-U.S. Privacy Shield Framework, the EU-U.S. DPF supplemental principle on pharmaceutical and medical products confirms that the transfer of key-coded research data will be subject to the EU-U.S. DPF as a transfer of personal data.
The process to self-certify and recertify under the new EU-U.S. DPF is substantively similar to the process established under the previous EU-U.S. Privacy Shield Framework. Moreover, U.S. businesses that have already self-certified under the previous EU-U.S. Privacy Shield Framework will be able to self-certify under the new EU-U.S. DPF via a simplified procedure.
As was the case with the EU-U.S. Privacy Shield Framework, the U.S. Department of Commerce is charged with administering and monitoring participation in the EU-U.S. DPF. The Federal Trade Commission (“FTC”) will enforce compliance with the EU-U.S. DPF through Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.
Although the Commission’s adequacy decision marks a milestone for U.S. businesses engaging in cross-border data transfers with EEA-based entities, the EU-U.S. DPF is available only to U.S. businesses that are subject to the authority of the FTC. This generally means that most U.S. nonprofit organizations, such as nonprofit hospitals, health systems, or universities, cannot avail themselves of the EU-U.S. DPF.
In short, the new EU-U.S. DPF may be an attractive option for U.S. pharmaceutical and medical device companies, and other U.S. businesses, that find the EU Standard Contractual Clauses onerous and unpalatable and want a more expedient way to transfer personal data out of the EEA. Participation in the EU-U.S. DPF is not without its own burdens and risks, however, given the implementation steps required to self-certify and the agency compliance monitoring and enforcement provisions associated with participation. Participation in the EU-U.S. DPF also does not obviate the need for the participating company to enter onward transfer agreements with third parties to which it further transfers the personal data or eliminate the requirement to enter data processing agreements with such third parties that are processors.
Organizations that are not eligible to participate in the EU-U.S. DPF may nonetheless rely on the safeguards contained in President Biden’s Executive Order 14086 and in the U.S. Attorney General’s Regulation on the Data Protection Review Court, which were developed in facilitation of the EU-U.S. DPF but which apply to all transfers of personal data to the United States under the GDPR, to support their use of other transfer mechanisms such as the EU Standard Contractual Clauses. The U.S. Department of Commerce will launch an EU-U.S. DPF website (www.dataprivacyframework.gov) on July 17, 2023.
***
This Insight was authored by Emily Chi Fogler, Andrew P. Rusczek, and Christopher D. Taylor. For additional information about the issues discussed above or if you wish to discuss the advantages and disadvantages of participating in the EU-U.S. DPF, please contact one of the authors of this Insight or the Epstein Becker Green attorney who regularly handles your legal matters.
ENDNOTES
[1] Data Protection Commissioner v. Facebook Ireland, Ltd. and Maximillian Shrems (Case C-311/18, ECLI:EU:C:2020:559 (July 16, 2020)).
[2] The EEA comprises the following countries: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.