Login to MyACC
ACC Members

Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

The European Union has approved a new framework for transferring personal data between Europe and the US. 

On July 10, 2023, the European Commission validated the EU-US Data Privacy Framework deciding that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations in the United States that are included in the “Data Privacy Framework List” maintained and made publicly available by the U.S. Department of Commerce. 

This is a major development that could resolve the current legal limbo for transatlantic data transfers.

  • Companies have faced a regulatory minefield when transferring personal data across the Atlantic, especially after the EU-US Privacy Shield framework was invalidated in 2020.  
  • As an example, in May 2023, the Irish Data Protection Commission fined Meta Platforms Inc. 1.2 billion euros over its data transfers to the US. The fine was the largest levied under the EU’s General Data Protection Regulation (GDPR).  
  • The new deal could provide organizations with some much-needed clarity on the legality of such transfers. However, the framework is likely to be challenged in court by privacy activists.  
  • The Commission’s decision went into effect on July 10, 2023.  

Self-Certification Under the New Framework 

  • Under the Commission’s decision, US companies can self-certify to the framework.   
  • Self-certification includes complying with a set of privacy principles related to purpose limitation, data minimization, data retention, security, and sharing with third parties.  
  • The US Department of Commerce will process certification applications and monitor compliance. The US Federal Trade Commission will enforce compliance obligations. 
  • Personal data can be transferred from the EU to US organizations participating in the framework, without putting in place additional safeguards. 
  • The Commission said it will continuously monitor developments in the US. It will conduct a first review of its decision within one year to verify the US framework is functioning effectively. Its decision can “be adapted or even withdrawn” if the level of protection falls below EU standards.   

The United States adopted new safeguards to limit data collection by US intelligence agencies, and a new two-layer mechanism for individuals to redress their privacy concerns. These new controls were set out through an October 2022 Executive Order issued by US President Biden.     

Possible Challenges? 

The EU-US Data Privacy Framework will most likely be challenged in the Court of Justice of the European Union (CJEU). 

  • The Court invalidated two previous data-sharing agreements between the US and EU following challenges brought by privacy activist Max Schrems. 
  • In its 2020 “Schrems II” decision, the Court invalidated the EU-US Privacy Shield, considering that this framework didn’t sufficiently ensure compliance with GDPR. A key concern for the court was US laws allowing public authorities to access and use personal information under surveillance programs. 
  • Schrems and the Austrian non-profit organization NOYB have already announced plans to challenge the new framework, calling it “largely a copy” of the privacy shield. The privacy group expects to be back in the Court of Justice by the beginning of next year.  
  • “Just announcing that something is 'new', 'robust' or 'effective' does not cut it before the Court of Justice,” Schrems said in statement.  “We would need changes in US surveillance law to make this work - and we simply don't have it." 

What Can In-House Counsel Do?   

  • Understand the rules under the new framework. 
  • Review your organization’s data transfer mechanisms. 
  • Consider updates to your current data transfer policies and agreements in light of the new framework. 
  • Consider joining the new EU-US Data Privacy Framework. 
  • Conduct Transfer Impact Assessments before transferring data from the EU to the United States. 
  • Monitor cases challenging the framework. 

Learn More and Connect 

Read Third Time’s the Charm? “Privacy Shield 2.0” Emerges as EU Approves New Data Transfer Deal with the United States by Samuel D. Goldstick of Foley & Lardner LLP 

Read The European Commission Adopts the EU-U.S. Data Privacy Framework by Dr. Christian Schröder, Dr. Daniel Ashkar and Alex Sobolev of Orrick Herrington & Sutcliffe LLP 

Read European Commission Adopts EU-U.S. Data Privacy Framework Adequacy Decision by Joan Stewart and Tyler Bridegan of Wiley Rein LLP  

Attend Privacy law sessions during the 2023 ACC Annual Meeting

Region: Global, United States, Europe, European Union
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.