European Commission Adopts EU-U.S. Data Privacy Framework Adequacy Decision

July 10, 2023

On July 10, 2023, the European Commission adopted an adequacy decision regarding the EU-U.S. Data Privacy Framework (Framework). The adequacy decision procedure was established by the European Union’s (EU) General Data Protection Regulation (GDPR) to create a legal mechanism by which to permit the transfer of personal data from the EU to non-EU countries. In essence, an adequacy decision means that the European Commission has determined that a country—in this case the U.S.—offers an adequate level of protection to personal data comparable to that of the EU.

Going forward, U.S. companies that self-certify to the Framework, which will be administered by the U.S. Department of Commerce, will be able to freely transfer personal data to and from the EU. In order to self-certify to the Framework, U.S. companies will be required to commit to comply with a detailed set of privacy obligations and make the required certifications to the U.S. Department of Commerce. The privacy obligations are expected to include requirements around purpose limitation, data minimization, data retention, as well as specific obligations concerning data security and the sharing of data with third parties. Further, like its predecessor the U.S. Privacy Shield, compliance with these requirements will be enforced by the U.S. Federal Trade Commission.

Although the adequacy decision is now in effect, the European Commission will continuously monitor relevant developments in the U.S. and regularly review the adequacy decision. The first review will take place by July 10, 2024.

Now that the adequacy decision has been finalized, the U.S. Department of Commerce will (i) provide information on how U.S. businesses that currently are not covered under the Privacy Shield can self-certify to the new Framework, and (ii) provide guidance to those companies that continued to adhere to the Privacy Shield Principles during the past three years. More information, as well as the certification, can be found on the recently created Data Privacy Framework website, which will likely be fully functional in the coming days.

***

Wiley’s Privacy, Cyber & Data Governance Team has helped companies of all sizes from various sectors proactively address risks and comply with new privacy laws and requirements. Please contact Joan Stewart (jstewart@wiley.law) or Tyler Bridegan (tbridegan@wiley.law) with any questions.

Tags

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek