Reed Smith Client Alerts

At the end of 2022, the European Commission published its draft adequacy decision on EU-U.S. transfers of personal data. The draft contains a lengthy assessment of the U.S. legal framework for state surveillance. Once the adequacy decision comes into effect (expected in the first half of 2023),EU data transfers to the United States under the new Data Privacy Framework (EU-U.S. DPF) will be free. However, there are still some steps to take.

What is the EU-U.S. DPF?

Under the EU-U.S. DPF, EU organisations will be able to transfer personal data from the EU to the United States freely if and to the extent that the U.S. recipient has self-certified under the new EU-U.S. DPF regime (similar to the certification under the former EU-U.S. Privacy Shield. No EU standard contractual clauses will be required for transfers covered by EU-U.S. DPF certification. Where the U.S. recipient is a processor and the EU entity is a controller, putting in place an EU standard contractual clause containing the requirements of article 28 of the GDPR will suffice.

In order to self-certify, U.S. organisations must publish privacy policies that align with the EU-U.S. DPF privacy principles and implement them when handling EU personal data. They will be required to recertify annually. Compliance with the EU-U.S. DPF principles will be enforced by the U.S. Federal Trade Commission and the U.S. Department of Transportation. The U.S. Department of Commerce will administer and monitor the EU-U.S. DPF. EU data subjects will be able to enforce their rights by bringing a complaint directly to a self-certified U.S. organisation, to an independent dispute resolution body in the United States or in the EU free of charge, to an arbitration panel, or to their national data protection authority in the EU.