EU Commission Announces U.S. Adequacy under the EU-US Data Privacy Framework

The European Commission has announced that the United States is an adequate country for the transfer of personal data under the new EU-US Data Privacy Framework (DPF). The adequacy recognition means that the United States provides a level of protection of personal data essentially equivalent to the EU’s General Data Protection Regulation (GDPR).

The announcement concludes a trans-Atlantic process triggered in July 2020 when the Court of Justice of the European Union) CJEU) invalidated the EU-US Privacy Shield program that had been in place since 2016 to provide adequate data protection. The Privacy Shield itself was established after its predecessor, the Safe Harbor, was invalidated by the court after 15 years of operation.

Like the Safe Harbor and Privacy Shield, the new DPF is intended solely for U.S. companies. It is based on self-certification by U.S. companies that are willing to commit to more protective privacy practices than ordinarily required under the laws in the U.S. The principles underlying the DPF are similar but not identical to those of the GDPR.

The key reason for the CJEU’s invalidation of the Privacy Shield in 2020 was the absence of safeguards and restrictions on the mass and indiscriminate collection and use of online personal data by U.S. intelligence agencies and enforcement authorities. Therefore, the main development in the DPF pertains to new checks and balances on U.S. intelligence and enforcement agencies.

The E.U. plans to conduct a periodic assessment of the DPF and U.S. commitments next year. If the EU believes that the United States is not fulfilling its obligations, the EU can demand that the U.S. corrects the deficiencies within a defined timeframe. If the U.S. fails to comply, the EU can revoke or suspend the adequacy recognition.

U.S. companies desiring to certify to the DPF will need to adhere to principles regarding Notice, Data Security, Purpose Limitation, Individual Rights, Processing Sensitive Personal Data, and more. There are a few differences between the DPF and GDPR. for example, the DPF does not view data processing as premised on a legal basis. The DPF also does not draw a clear distinction between the obligations of processors and those of controllers.

Mr. Max Schrems, the privacy activist who led the legal campaign that invalidated the Privacy Shield in 2020,  criticized the EU Commission’s adequacy decision under the DPF. Mr. Schrems and the privacy advocacy group he founded, NOYB, vowed to initiate yet another legal process to invalidate the new adequacy decision.

Click here to read the EU Commission’s implementing decision.

Click here to view the U.S. Department of Commerce’s Data Privacy Framework portal.