E.U. Adopts Adequacy Decision for E.U.-U.S. Data Privacy Framework

On July 10, 2023, the European Union (E.U.) Commission adopted an adequacy decision for the E.U.-U.S. Data Privacy Framework. The decision ensures that the United States will provide an adequate level of protection for personal data transferred from the E.U. to U.S. companies. The issue has been a contentious one. In particular, concerns have been raised on the E.U. side regarding U.S. surveillance agencies’ ability to access non-U.S. individuals’ personal information. These concerns previously led to the downfall of both of the framework’s predecessors: Safe Harbor and Privacy Shield. Companies in the United States that find themselves receiving European personal information can elect to participate in the new framework program, which will be operated by the U.S. Department of Commerce. However, participation is not mandatory. Other transfer mechanisms exist, including binding corporate rules (BCR) and standard contractual clauses (SCC).

To participate, companies must publicly confirm they will adhere to specific privacy obligations ranging from data minimization and retention to limits on data sharing. Participating companies must give individuals rights similar to those under the General Data Protection Regulation (GDPR), such as access, correction and deletion, and offer a free dispute-resolution mechanism for mishandled information. The White House Executive Order provides safeguards for the use of non-U.S. nationals’ personal information by U.S. surveillance agencies. The safeguards apply to all data transfers from the E.U. to the U.S. regardless of the transfer mechanism used.