For American companies doing business in Europe and European businesses relying on U.S. vendors and service providers, 2023 may be the year when Europe and the United States finally come together to implement a viable and comprehensive program to facilitate legitimate data traffic across the Atlantic that will pass judicial scrutiny. Since 2015, several court rulings in the European Union have invalidated two key framework agreements that had simplified otherwise complex legal requirements for U.S. processing of personal data originating from the EU. Yet, hope is on the horizon.
One important recent development is the EU-U.S. Data Privacy Framework (DPF) and the reaction to it in the EU. The DPF is an agreement reached last year between the U.S. and the European Commission of the EU that incorporates a set of data protection safeguards and supplemental principles under which companies may transfer personal data originating from the EU to the U.S. and it will be significant for facilitating the continuing cross-border transfer of personal data to the U.S. for appropriate commercial purposes. The DPF contains various provisions addressing commercial processing and transfers of personal data, but additionally, it was written in conjunction with new U.S. Department of Justice regulations that are intended to reduce the risk of personal data being compromised via U.S. national security/intelligence gathering practices. To further strengthen the DPF’s worth, in October of 2022, President Biden issued an executive order which implemented a number of new electronic intelligence gathering oversight requirements that were contemplated by the new framework.
The DPF was intended to correct a number of deficiencies in previous U.S. “adequacy” constructs for data transfers from the EU that many U.S. service providers relied on, namely the framework entitled “Privacy Shield” and its predecessor “Safe Harbor”. The Privacy Shield system was invalidated in 2020 by the Court of Justice of the EU in the highly-publicized “Schrems II” case, in large part because of the court’s opinion that U.S. intelligence gathering was not restricted sufficiently to allow for minimum safeguards for European citizens’ privacy rights under EU law. That invalidation created a gap in many U.S. companies’ compliance with European data privacy laws, or at best it rendered compliance more difficult to guarantee under U.S. law. However, the European Commission – essentially, the executive branch of the EU – issued a draft “adequacy decision” on the basis of the DPF in December of 2022, signaling the importance of the framework and its likely acceptance by the EU. A final determination of “adequacy” would mean that the commission views the American legal system and existing legal standards including new avenues of individual recourse as providing an adequate level of data protection to EU citizens relative to the strict requirements of the General Data Protection Regulation, or GDPR.
Of course, the draft decision is only a precursor to a final determination, much like a proposed regulation is in the U.S., and there is certainly potential for yet another “Schrems” case to arise, but it is still quite significant. Once a final adequacy decision is issued as is anticipated in early 2023, U.S. companies that certify and conform to the DPF in the context of services provided to European customers will enjoy greater certainty in terms of having a broader toolset for the transfer of EU personal data and greater confidence in being able to implement compliance measures that will pass muster with European data protection authorities. Once a final adequacy determination has been issued, U.S. service providers will have greater certainty of their ability to comply with the EU data protection standards, so the business community will be watching closely for that to happen this year.