Introduction:
As a leading provider of global expansion solutions, HSP is committed to keeping our customers informed about the latest developments that shape the international business landscape.
Today, we are excited to share significant news regarding the new EU-US Data Privacy Framework. Recently adopted by the European Commission, this agreement marks a crucial milestone in the realm of data transfers between the European Union (EU) and the United States (US).
At HSP, we understand the importance of staying ahead of the curve, and this groundbreaking decision ushers in a new era of data privacy and transatlantic collaboration between the EU and the US.
Background:
The adoption of the EU-U.S. Data Privacy Framework (Privacy Shield v.3 and referred to in this article as “Privacy Shield”) comes after extensive negotiations between the EU and the US, following the invalidation of the previous EU-U.S. Privacy Shield (v.2) by the Court of Justice of the European Union (“ECJ”) in the Schrems II case.
This ruling had created uncertainty and challenges for companies transferring personal data between the EU and UK and the US.
The Adequacy Decision:
The European Commission’s Adequacy Decision affirms that in principle, the US provides an adequate level of data protection, comparable to that of the EU/UK.
It introduces a new framework that enables EU/UK companies to transfer personal data to US companies that have been accepted as members of the Privacy Shield without the need for additional transfer safeguard mechanisms.
It allows them to rely upon the Privacy Shield as validating their deemed compliance with the complex EU/UK rules under the ‘General Data Protection Regulation’ (the “GDPR”) for transatlantic data transfers back to the US.
Without the introduction of this Adequacy Decision, transatlantic data transfers back to the U.S. from the EU/UK ran a serious risk of being in fundamental breach of the very strict rules under the GDPR for cross-border data transfers.
This could have put companies invalidly transferring personal data from the EU/UK to the US at risk of penal financial sanctions of up to a maximum of EUR 20 million, or 4% of an infringing organization’s global turnover if more than EUR 20 million.
Key Elements of the Adequacy Decision:
- Self-Certification: U.S. companies accepted as members and adhering (“certifying”) to the EU-U.S. Data Privacy Framework/Privacy Shield and committing to a detailed set of privacy obligations can receive EU personal data without requiring additional transatlantic transfer safeguard mechanisms to be put in place.
- Privacy obligations will include, for example, the requirement to delete personal data when it is no longer necessary for the purposes for which it was collected and to ensure continuity of protection when personal data is shared with third parties.
- Addressing Concerns: The EU-U.S. Data Privacy Framework resolves concerns raised by the ECJ, including access to EU/UK data by U.S. intelligence services. New rules introduced by the U.S. Executive Order address the issues raised by the ECJ in the Schrems II judgment. For example, access to European data by U.S. intelligence agencies will be limited to what is “necessary and proportionate” to protect national security.
- Enhanced Redress Mechanisms: European citizens are provided with improved avenues for seeking redress regarding the collection and use of their data by U.S. intelligence agencies, including through the newly established Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.
- Streamlined Self-Certification Process: Companies currently certified under the EU-U.S. Privacy Shield Framework will benefit from a simplified procedure for self-certification under the new EU-U.S. Data Privacy Framework.
- Periodic Reviews: The EU-U.S. Data Privacy Framework will undergo regular reviews by the European Commission, European data protection authorities, and competent U.S. authorities. The first review will take place within one year after the entry into force of the Adequacy Decision.
Implications for Global Expansion:
With the adoption of this Adequacy Decision, HSP recognizes the immense value it brings to our clients and their global expansion strategies. The new agreement ensures that personal data can flow freely and safely from the EU to the U.S. without imposing burdensome conditions or additional authorizations. This facilitates smoother business operations and fosters trust between transatlantic partners.
Challenges and Opportunities:
While the Adequacy Decision has garnered widespread support, including from U.S. President Joe Biden, it has also faced criticism. Privacy activist Max Schrems and his non-profit group noyb (“None of Your Business”) have expressed concerns and intend to challenge the decision. However, EU Justice Commissioner Didier Reynders remains confident in the solidity of the framework and its ability to withstand legal scrutiny.
As a trusted partner, HSP will closely monitor any developments related to legal challenges and keep our clients informed of any potential implications. Our commitment to providing the most up-to-date information and supporting our clients’ compliance efforts remains unwavering.
Conclusion:
The new EU-U.S. Data Privacy Framework/Privacy Shield is a significant step forward in fostering data protection and facilitating global expansion for businesses between the EU/UK, and the U.S. HSP is excited about the opportunities this agreement presents for our clients, allowing them to navigate the complexities of international data transfers between the EU/UK and the U.S. with greater confidence and efficiency.
As we continue to serve as your trusted global expansion partner, we will ensure that our clients are well-informed about the evolving regulatory landscape and equipped with the necessary tools to thrive in the global market.
Following the introduction of the new (v.3) Privacy Shield, this is a critical opportunity for HSP’s clients doing business between the EU/UK and the US to review their data compliance practices as a matter of urgency to ensure that they are in a position to apply for certification of the Privacy Shield where relevant and generally to review their overall data compliance position to ensure their risk of regulatory or other breaches is minimized so they are not potentially facing regulatory financial penalties for non-compliance.
HSP’s data compliance and privacy team has many years of experience advising organizations from small to very large on global data compliance requirements and issues. We have experience advising on data requirements in over 140 countries globally and will be happy to advise you on the huge advantages that certifying to the Privacy Shield will bring to your organization and assist you in putting together the appropriate application.
For more information about the Privacy Shield and its impact on global expansion and why it is so important that you consider applying to be certified to the Privacy Shield as soon as possible, please contact Paul Sutton, who heads up HSP’s data privacy team globally (details below) or your normal HSP contact to arrange to discuss this further.
We look forward to assisting you in expanding your business across borders.
Disclaimer: The information provided in this article is for general informational purposes only and should not be considered legal advice. We recommend consulting with HSP’s data privacy professionals to understand the specific implications of the EU-U.S. Data Privacy Framework for your business.
