On July 10, the European Commission (EC) published its data adequacy decision for the new EU-U.S. Data Privacy Framework (EU-U.S. DPF).  This means that companies can transfer personal data from EU countries and from Iceland, Liechtenstein and Norway to U.S. organizations participating in the EU-U.S. DPF consistent with EU law. It is also expected that the adequacy decision will facilitate transfers through other EU legal mechanisms, including Standard Contractual Clauses and Binding Corporate Rules.

Previous adequacy decisions for the transfer of personal data from the EU to the US were struck down by the Court of Justice of the European Union (CJEU), in decisions known as Schrems I and Schrems II.  Most recently, in the Schrems II decision, the EU judges expressed continued concerns about the relatively easy access to European personal data by US intelligence agencies.

In response, last October, US President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086) to address these concerns.

After EO 14086 was issued, the European Commission began the formal process for adopting an adequacy decision on this new EU-US Data Privacy Framework which resulted in the announcement on July 10.

EO 14086 sets forth a self-certification program similar to its predecessors known as the “Safe Harbor” and the “Privacy Shield”, but with stronger safeguards for certain US intelligence activities regarding European personal data, as well as an independent redress mechanism which includes a new Civil Liberties Protection Officer of the Office of the Director of National Intelligence and a new Privacy and Civil Liberties Oversight Board.

The strengthened safeguards include putting US intelligence services under the supervision of a Privacy and Civil Liberties Oversight Board, which will have access to all relevant documents, including classified information. Earlier this month, the US Commerce Secretary announced that the Office of the Director of National Intelligence has confirmed that the U.S. Intelligence Community has adopted policies and procedures pursuant to EO 14086.

In the coming days, US companies will be able to undergo the EU-U.S. DPF self-certification process on the US Commerce Department’s website. Once certified, companies will be able to import personal data from the EU and EEA into the U.S. without the need to rely on another data transfer mechanism, such as Standard Contractual Clauses (SCCs).

This latest data adequacy decision will be reviewed by the European Commission at least annually. In addition, the European privacy regulators will monitor how the redress mechanism works in practice. This third attempt on an adequacy decision for US/EU data transfers is bound to face a legal challenge from Austrian activist Max Schrems, who has already expressed reservations about the redress mechanism, which while strengthened, still operates under the executive branch of the US government and thus is not fully independent.

Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.