Introduction
As a leading provider of global expansion solutions, HSP is committed to keeping our customers informed about the latest developments that shape the international business landscape.
Today, we are excited to share significant news regarding the new EU-US Data Privacy Framework. Recently adopted by the European Commission, this agreement marks a crucial milestone in data transfers between the EU and the US.
At HSP, we understand the importance of staying ahead of the curve. This groundbreaking decision ushers in a new era of data privacy and transatlantic collaboration.
Background
The adoption of the EU-U.S. Data Privacy Framework (Privacy Shield v.3) comes after extensive negotiations between the EU and the US. Negotiations followed the invalidation of the previous EU-U.S. Privacy Shield (v.2) by the Court of Justice of the European Union (“ECJ”) in the Schrems II case.
This ruling created uncertainty and challenges for companies transferring personal data between the EU, the UK, and the US.
The Adequacy Decision
The European Commission’s Adequacy Decision affirms that, in principle, the US provides adequate data protection comparable to the EU/UK.
It introduces a new framework that enables EU/UK companies to transfer personal data to US companies. This applies if the company is accepted as a member of the Privacy Shield without additional transfer safeguard mechanisms.
It allows them to rely upon the Privacy Shield to validate their deemed compliance with the complex EU/UK rules under the ‘General Data Protection Regulation’ (the “GDPR”) for transatlantic data transfers back to the US.
Without the introduction of this Adequacy Decision, transatlantic data transfers back to the U.S. from the EU/UK ran a serious risk of being in fundamental breach of the stringent rules under the GDPR for cross-border data transfers.
This could put companies invalidly transferring personal data from the EU/UK to the US at risk of financial sanctions. Sanctions could be as high as EUR 20 million, or 4% of an infringing organization’s global turnover if more than EUR 20 million.
Key Elements of the Adequacy Decision
- Self-Certification: U.S. companies adhering to the Adequacy Decision, as well as committing to a detailed set of privacy obligations, can receive EU personal data without needing additional transatlantic transfer safeguards. Membership acceptance is a prerequisite.
- When collecting personal data, for example, individuals are required to delete it once it is no longer necessary. Another is the requirement to ensure continuity of protection when personal data is shared with third parties.
- Addressing Concerns: The EU-U.S. Data Privacy Framework resolves concerns raised by the ECJ, including U.S. intelligence services’ access to EU/UK data. Additionally, new rules introduced by the U.S. Executive Order address the issues raised by the ECJ in the Schrems II judgment. Notably, U.S. intelligence agencies can only access data deemed necessary and proportionate for protecting national security.
- Enhanced Redress Mechanisms: European citizens are provided with improved avenues for seeking redress regarding collecting and using their data. This includes the newly established Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
- Streamlined Self-Certification Process: Companies currently certified under the EU-U.S. Privacy Shield Framework will benefit from a simplified procedure for self-certification under the new EU-U.S. Data Privacy Framework.
- Periodic Reviews: The EU-U.S. Data Privacy Framework will undergo regular reviews by the European Commission, European data protection authorities, and competent U.S. authorities. The first review will take place within one year after the entry of the Adequacy Decision into force.
Implications for Global Expansion
By adopting this Adequacy Decision, HSP recognizes the immense value it brings to our clients and their global expansion strategies. The new agreement ensures that personal data can flow freely and safely from the EU to the U.S. without imposing burdensome conditions or additional authorizations. This facilitates smoother business operations, and fosters trust between transatlantic partners.
Challenges and Opportunities
While the Adequacy Decision has garnered widespread support, including from U.S. President Joe Biden, it has also faced criticism. Privacy activist Max Schrems and his non-profit group noyb (“None of Your Business”) have expressed concerns and intend to challenge the decision. However, EU Justice Commissioner Didier Reynders remains confident in the solidity of the framework and its ability to withstand legal scrutiny.
As a trusted partner, HSP will closely monitor any developments related to legal challenges and keep our clients informed of any potential implications. Our commitment to providing the most up-to-date information and supporting our clients’ compliance efforts remains unwavering.
Conclusion
The new EU-U.S. Data Privacy Framework/Privacy Shield is a significant step forward in fostering data protection, as well as facilitating global expansion for businesses between the EU/UK and the United States. HSP is excited about this agreement’s opportunities for our clients. The agreement allows them to navigate the complexities of international data transfers with greater confidence and efficiency.
As we continue to serve as your trusted global expansion partner, we will ensure that our clients are well informed about the evolving regulatory landscape and equipped with the necessary tools to thrive in the global market.
Following the introduction of the new (v.3) Privacy Shield, this is a critical opportunity for HSP’s clients doing business between the EU/UK and the US to review their data compliance practices as a matter of urgency to ensure that they are in a position to apply for certification of the Privacy Shield where relevant and generally to review their overall data compliance position to ensure their risk of regulatory or other breaches is minimized so they are not potentially facing regulatory financial penalties for non-compliance.
HSP’s data compliance and privacy team has many years of experience advising organizations from small to very large on global data compliance requirements and issues. We have experience advising on data requirements in over 140 countries globally. We will be happy to advise you on the huge advantages that certifying to the Privacy Shield will bring to your organization and assist you in putting together the appropriate application.
For more information
For more information about the Privacy Shield and its impact on global expansion and why it is so vital that you consider applying to be certified to the Privacy Shield as soon as possible, please contact Paul Sutton, who heads up HSP’s data privacy team globally (details below) or your regular HSP contact to arrange to discuss this further.
We look forward to assisting you in expanding your business across borders.
Disclaimer: The information provided in this article is for general informational purposes only and should not be considered legal advice. We recommend consulting with HSP’s data privacy professionals to understand the specific implications of the EU-U.S. Data Privacy Framework for your business.