Worldwide: New EU Adequacy Decision Allowing Personal Data Transfers To US Self-Certified Entities!

What happened?

On 10 July 2023, the European Commission adopted a decision on the adequate level of protection of personal data under the "EU-U.S. Data Privacy Framework" (the "EU-USDPF"). This adequacy decision has been adopted almost three years after the invalidation of the previous mechanism by the Court of Justice of the European Union (CJUE, 16 July 2020, "Schrems II" case).

With this decision, the European Commission considers that the EU-US DPF ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organisations in the US. Such transfers may now take place without the need to put in place additional data protection safeguards such as the Standard Contractual Clauses or Binding Corporate Rules.

Points of attention

The US organisations that will receive the personal data coming from a controller or a processor located in the EU must self-certify their adherence to a set of privacy principles issued by the US Department of Commerce (i.e., the "EU-U.S. Data Privacy Framework Principles" which include the Supplemental Principles, together the "Principles"). To benefit from the adequacy decision, the US organisations must re-certify their adherence to the Principles every year.

The previous Safe Harbour and Privacy Shield mechanisms - that were invalidated by the CJUE in 2015 and 2020, respectively - were also based on the principle of self-certification.

The US Department of Commerce will maintain and make available to the public on a dedicated website a list of US organisations that have self-certified and declared their commitment to adhere to the Principles. The website is scheduled to be brought online by 17 July 2023.

It is crucial that EU controllers and processors verify that the US organisation is self-certified and included in the above list before transferring the personal data to the US.

What's next?

In the next years, the European Commission will conduct periodical reviews of the EU-US DPF to verify whether the adequacy decision is still factually and legally justified.

Let's hope that this new EU-US DPF will know a better fate than its predecessors while Max Schrems and the NOYB association¹ have already announced that they intend to challenge the validity of the EU-US DPF before the CJUE !

Footnote

1. According to its articles of association, the purpose of this non-profit association is in particular to promote "public awareness in the areas of freedom, democracy and consumer protection in the digital sphere with a focus on consumer rights, the fundamental rights to privacy and self-determination, data protection, freedom of expression, freedom of information, human rights and the fundamental right to an effective remedy".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.