chevron-down Created with Sketch Beta.

Business Law Today

August 2023

August 2023 in Brief: Internet Law & Cybersecurity

Juliet Marie Moringiello

August 2023 in Brief: Internet Law & Cybersecurity
iStock.com/FactoryTh

Jump to:

European Union Approves Privacy Shield Successor to Govern Data Transfers to the U.S.

By Laura Bacon, Hudson Cook LLP

On July 10, 2023, the European Commission adopted its adequacy decision for the E.U.–U.S. Data Privacy Framework, approving the self-certification program’s use for data transfers from the European Economic Area to the United States. The Data Privacy Framework replaces the now-invalidated E.U.-U.S. Privacy Shield and permits data exporters subject to the European Union’s General Data Protection Regulation to transfer personal data to the U.S. The adoption of an adequacy decision based on the Data Privacy Framework provides legal certainty for U.S. companies receiing data from the E.U.

In 2020, the Court of Justice of the European Union (CJEU) invalidated the use of Privacy Shield as an adequate means for transferring personal data from Europe to the U.S. because of the lack of protections related to U.S. intelligence activities. In the past year, European privacy regulators have ordered U.S. companies to stop sending information about their clients and users in the E.U. to the U.S., and major American technology companies have warned that they may have to shut down European operations.

The Data Privacy Framework, where U.S. companies are able to participate, gives individuals in Europe the ability to raise an official objection when they believe their information has been collected or used improperly, and it establishes an independent review body of American judges—the Data Protection Review Court—to hear these appeals. Of note, the review court will have the authority to order deletion of data in accordance with applicable legal restrictions.

While data will continue to flow between the two jurisdictions under the new accord, the issues around data transfer may not be fully resolved. A data activist has vowed to bring another suit before the CJEU, and members of the European Parliament have criticized the accord for not containing enough meaningful safeguards against surveillance by U.S. intelligence. Still, formal adoption of an adequacy decision provides significantly more legal certainty for U.S. companies.

Participants in Privacy Shield will be able to easily convert their self-certification with the Department of Commerce to the Data Privacy Framework to provide E.U. data exporters with sufficient assurances.

    Editor