It has finally happened. After many months of speculation and nervous waiting, on July 10, the European Commission released its adequacy decision on the EU-U.S. Data Privacy Framework. The framework is the third iteration by the U.S. and EU governments to streamline data sharing between the two world powers.
As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any further conditions or authorizations. In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data.
U.S. companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, basically submitting to the same rules and EEA data processors or similar obligations as if the U.S. company were using other tools, such as standard contractual clauses and binding corporate rules.
This opens U.S. companies up to several dangers of EU citizens bringing complaints against them for mishandling data. This includes independent dispute resolution mechanisms and an arbitration panel which are free of charge to the complainant.
The safeguards put in place by the U.S. will also facilitate transatlantic data flows more generally, since they also apply when data is transferred by using standard contractual clauses or binding corporate rules.
While signing up to the Privacy Framework will make it much simpler to transfer data from the EU to the U.S., it will also hugely increase the burdens placed on U.S. companies and open them up to new litigation and regulatory risks. The Framework adds to the obligations currently being imposed upon U.S. data processors by 10 states (with five more on the way), each with a different set of obligations.
There is also a need to be cautious. This is the third try by U.S. and EU authorities to create a binding data framework between the two blocs. The first two tries, the Safe Harbor, and the Privacy Shield, imposed similar but less onerous obligations on U.S. companies, and were both struck down by the Court of Justice of the European Union (CJEU) following actions brought by legendary privacy activist Maximillian Schrems.
These decisions, Schrems I and Schrems II, highlighted deficiencies in the predecessor regimes, including but not limited to the way in which the U.S. intelligence agencies are able to access data. The new Framework has specifically dealt with the issues raised in the Schrems cases by the creation of a new court that will adjudicate on the access to data by government agencies.
Standard enforcement will be handled by the U.S. Federal Trade Commission, which will fulfill a role similar to European data authorities and will have similar powers, including but not limited to massive fines and the ability to require data processors to behave in a certain way including deleting and correcting data, to stopping processing all together.
The EU and U.S. authorities are confident that the new Framework will satisfy the CJEU and that this time will be different to Schrems I and Schrems II. However, it behooves U.S. companies considering signing up for the Framework to take a far more circumspect approach to the overall process. It is all but guaranteed that Mr. Schrems will attempt a third bite of the cherry, and like Charlie Brown and Lucy with the football, it is possible that the CJEU could once again move the ball and leave U.S. companies with a large compliance costs for a defunct scheme. Until the European judicial process is completed, it would be wise to take a wait and see approach to the Framework and continue with the existing standard contractual clauses and binding corporate rules that have hitherto defied judicial scrutiny.