The European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework on 10 July 2023.
According to the adequacy decision, “the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Data Privacy Framework from a controller or a processor in the Union to certified organisations in the United States”.
This means that now personal data can flow safely from the EU to US companies that participate in the EU-U.S. Data Privacy Framework (the “DPF”), without the need for additional data protection safeguards. This is especially relevant for Israeli companies with US affiliates or those that rely on data processors in the United States.
The DPF replaces the “Privacy Shield” which was invalidated by the Court of Justice of the EU in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (called “Schrems II case”), and addresses the issues raised by the Court:
The DPF introduces new binding safeguards on US intelligence services and certain privacy obligations on US companies that wish to self-certify under the DPF. This includes limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The DPRC will independently investigate and resolve complaints, including by adopting binding remedial measures. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data.
It is worth pointing out that only those transfers to US importers that are registered under the DPF are justified under the adequacy decision. The DPF principles are very similar to the principles already developed for the Privacy Shield, so that presumably all companies that have already been certified under it are likely to also be certified under the DPF. Those that are not will need to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.
ERM is ready to support clients in the process of certifying under the Data Privacy Framework and on any other matters relating to privacy and data protection laws. Please reach out to us for more information.
* This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.