The European Union (EU) announced on July 10 that it had formally adopted the adequacy decision for the EU-U.S. Data Privacy Framework, which goes into effect on July 11. U.S. organizations have been without a self-certification mechanism to allow for the legal transfer of personal data from the EU to the United States since the Schrems II decision by the European Court of Justice (ECJ) striking down the EU-U.S. Privacy Shield Program in July 2020.
The new EU-U.S. Data Privacy Framework puts in place additional procedural protections for data subjects in the EU in connection with U.S. national security investigations in order to address the causes of the ECJ’s decision to overturn the Privacy Shield. Since the Schrems II decision, companies seeking to transfer EU personal data to the United States (which includes accessing data from the United States, even if the data is actually stored in Europe) have labored under a cloud of legal uncertainty, often relying on Standard Contractual Clauses buttressed with an onerous combination of data transfer impact assessments and supplementary protective measures (such as encryption). The EU-U.S. Data Privacy Framework is intended to streamline the legal requirements for data transfers by serving as an alternative legal transfer mechanism to the Standard Contractual Clauses, although it is certain to be challenged by the same privacy activists responsible for the Schrems II decision. Commercial entities' obligations under the new framework will be largely the same as those under the former Privacy Shield.