What Happened?
On December 13, 2022, the European Commission (the “Commission”) took a significant step towards the adoption of the EU-U.S. Data Privacy Framework (“DPF”). The DPF is a new framework designed to replace the EU-U.S. Privacy Shield (“Privacy Shield”), which was struck down by Court of Justice of the European Union in the Schrems II decision.
Once fully adopted, the DPF will enable companies subject to the EU GDPR to transfer personal data to the U.S. in compliance with the EU GDPR’s international data transfer rules. It will operate in a similar way to the Privacy Shield: companies in the U.S. will be required to certify that they will comply with a set of data protection obligations designed to protect the personal data transferred to them (such as the requirement to delete personal data when it is no longer necessary , and to ensure continuity of protection when the personal data is shared with third parties).
What Next?
In the draft adequacy decision published today, the Commission takes the position that the U.S.’s legal framework ensures an adequate level of protection for personal data transferred under the DPF to certified organizations in the U.S.. However, the draft decision must go through a multi-stage process before it can be adopted. It will be scrutinized by:
- The European Data Protection Board (the body through which the EU Member States’ Supervisory Authorities cooperate);
- A committee composed of representatives of the EU Member States; and
- The European Parliament.
The Commission can then adopt the final adequacy decision. At time of writing, this is not anticipated to take place before spring of 2023 (based on previous adequacy procedures).
What Actions Should Companies Consider?
Pending the adoption of the final adequacy decision, companies subject to the EU GDPR will need to consider how they can comply with the EU GDPR’s rules on international data transfers.
The most commonly-used data transfer tool is the so-called Standard Contractual Clauses (SCCs), which have been pre-approved by the Commission. SCCs carry significant benefits, since they are already available for use, and will continue to be available, even when (and if!) the DPF is finally adopted. It is also worth noting that Maximilian Schrems (the person behind the Schrems II case) and his non-profit organization None of Your Business (“NOYB”) have already hinted at a possible challenge to the DPF. If such a challenge were to be successful, companies relying on the DPF could find themselves once again without a valid data transfer tool.
As a related point, companies currently relying on the SCCs as a data transfer tool should keep in mind that they have less than a month to update their existing contracts (if they haven’t done so already).