On July 10, 2023, the European Commission (“Commission”), which oversees and implements policies and laws of the European Union (“EU”), adopted an adequacy decision for the long-awaited EU-U.S. Data Privacy Framework (“EU-U.S. DPF”).

The EU-U.S. DPF replaces the EU-U.S. Privacy Shield Framework that was struck down by the Court of Justice of the EU in 2020.[1] As a result of the Commission’s adequacy decision for the EU-U.S. DPF, the transfer of personal data from the European Economic Area (“EEA”)[2] to U.S. businesses that participate in the EU-U.S. DPF will be permitted under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) even if the EEA exporter and U.S. importer participating in the EU-U.S. DPF do not put in place safeguards such as the EU Standard Contractual Clauses (which U.S. importers are often reluctant to do) or rely upon a derogation under GDPR, Art. 49 (which EEA exporters are often reluctant to do). 

U.S. businesses that wish to receive personal data from the EEA will be able to participate in the EU-U.S. DPF by attesting to compliance with a prescribed set of privacy principles addressing the following topics: notice; choice; accountability for onward transfer; data integrity and purpose limitation; access; and recourse, enforcement, and liability. The EU-U.S. DPF also requires compliance with a number of supplemental principles addressing topics such as sensitive data, self-certification, human resources data, contracts for onward transfers, and pharmaceutical and medical products. Many of the privacy principles and supplemental principles under the EU-U.S. DPF are nearly identical to the principles laid out in the previous EU-U.S. Privacy Shield Framework. Importantly, however, in a significant deviation from the EU-U.S. Privacy Shield Framework, the EU-U.S. DPF supplemental principle on pharmaceutical and medical products confirms that the transfer of key-coded research data will be subject to the EU-U.S. DPF as a transfer of personal data.

The process to self-certify and recertify under the new EU-U.S. DPF is substantively similar to the process established under the previous EU-U.S. Privacy Shield Framework. Moreover, U.S. businesses that have already self-certified under the previous EU-U.S. Privacy Shield Framework will be able to self-certify under the new EU-U.S. DPF via a simplified procedure.

As was the case with the EU-U.S. Privacy Shield Framework, the U.S. Department of Commerce is charged with administering and monitoring participation in the EU-U.S. DPF. The Federal Trade Commission (“FTC”) will enforce compliance with the EU-U.S. DPF through Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce.

Although the Commission’s adequacy decision marks a milestone for U.S. businesses engaging in cross-border data transfers with EEA-based entities, the EU-U.S. DPF is available only to U.S. businesses that are subject to the authority of the FTC. This generally means that most U.S. nonprofit organizations, such as nonprofit hospitals, health systems, or universities, cannot avail themselves of the EU-U.S. DPF. 

In short, the new EU-U.S. DPF may be an attractive option for U.S. pharmaceutical and medical device companies, and other U.S. businesses, that find the EU Standard Contractual Clauses onerous and unpalatable and want a more expedient way to transfer personal data out of the EEA. Participation in the EU-U.S. DPF is not without its own burdens and risks, however, given the implementation steps required to self-certify and the agency compliance monitoring and enforcement provisions associated with participation. Participation in the EU-U.S. DPF also does not obviate the need for the participating company to enter onward transfer agreements with third parties to which it further transfers the personal data or eliminate the requirement to enter data processing agreements with such third parties that are processors.

Organizations that are not eligible to participate in the EU-U.S. DPF may nonetheless rely on the safeguards contained in President Biden’s Executive Order 14086 and in the U.S. Attorney General’s Regulation on the Data Protection Review Court, which were developed in facilitation of the EU-U.S. DPF but which apply to all transfers of personal data to the United States under the GDPR, to support their use of other transfer mechanisms such as the EU Standard Contractual Clauses. The U.S. Department of Commerce will launch an EU-U.S. DPF website (www.dataprivacyframework.gov) on July 17, 2023.

***

This Insight was authored by Emily Chi Fogler, Andrew P. Rusczek, and Christopher D. Taylor. For additional information about the issues discussed above or if you wish to discuss the advantages and disadvantages of participating in the EU-U.S. DPF, please contact one of the authors of this Insight or the Epstein Becker Green attorney who regularly handles your legal matters.

ENDNOTES

[1] Data Protection Commissioner v. Facebook Ireland, Ltd. and Maximillian Shrems (Case C-311/18, ECLI:EU:C:2020:559 (July 16, 2020)).

[2] The EEA comprises the following countries: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.