On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). US companies that participate in the DPF will be deemed to provide “adequate protection” under Article 45 of the EU General Data Protection Regulation (“GDPR”) for personal data transfers received from the European Union (“EU”) and European Economic Area (“EEA”).

Why did the EC need to adopt the adequacy decision for the DPF?

As we have previously written, the EU Court of Justice (“ECJ”) created uncertainty regarding transatlantic personal data transfers in its July 2020 Schrems II ruling. In particular, Schrems II invalidated the EC’s decision of adequacy for the EU-U.S. Privacy Shield, the predecessor to DPF. The focus of the ECJ’s concerns in Schrems II related to US national security and government surveillance, and the rights of individual data subjects in the EU to challenge such practices. The scope of Schrems II was so broad that it not only invalided Privacy Shield, but it also cast doubt on cross-border personal data transfers via other means, such as thru EC standard contractual clauses and binding corporate rules.

How did the US government and the European Commission collaborate to strengthen protections for transatlantic personal data transfers?

In response to Schrems II, the US government and the European Commission worked collaboratively to develop the DPF as a successor to Privacy Shield, and a means to provide greater certainty for transatlantic personal data transfers. Among other activities, the US Administration adopted Executive Order 14086 (“EO”) to establish enhanced privacy protections for personal data in the context of government surveillance, and a new process for individuals to seek redress on these issues concerning personal data transfers from a “qualifying state” to the United States. The US government recently issued additional implementing procedures for the EO, and also declared the EU and EEA Member States as “qualifying states,” such that local EU and other EEA citizens will be able to seek redress via the Office of the Director of National Intelligence (“ODNI”) Civil Liberties Protection Officer (“CLPO”), and ultimately the U.S. Data Protection Review Court.

What is the impact of the DPF?

The DPF will serve as a core option for US companies to assure adequate protection for transatlantic personal data transfers.  The DPF will help to strengthen the substantive privacy protections for personal data transfers from the EU/EEA, and assure greater legal certainty for EU/EEA companies transferring data to DPF participants in the US. More broadly, the substantive protections implemented to facilitate the adoption of the DPF, including the EO privacy protections and the procedural rights of redress, will be available for data subjects in the EU/EEA, regardless of whether the recipient US company participates in the DPF.

What should companies do?

US companies should evaluate the potential benefits of participation in the DPF for transatlantic transfers. Companies that have continued their participation in Privacy Shield should find it relatively easy to convert their Privacy Shield participation into DPF participation. Other US companies, if they find the DPF a suitable solution, should update their current privacy programs to address the substantive and procedural requirements of DPF, and file for certification with the US Department of Commerce (“US DOC”). More information on the US DOC procedure is expected soon. All companies engaging in transatlantic data transfers, regardless of their position with the DPF, should update their data transfer impact assessments (“DTIAs”) to take account of the enhanced substantive and procedural protections for personal data pursuant to the EO and other US developments.

Going forward, it is expected that the DPF will be subject to legal challenges similar to those that impacted the Privacy Shield. Although we have suggested for some time that the long-term solution should be a multilateral treaty arrangement that takes the issue outside the scope of GDPR, we know that DPF will provide a welcome relief in the short to medium-term for transatlantic commerce and data privacy protection.    

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Flavia is a partner at Trench Rossi Watanabe* and is based in São Paulo. She has more than 15 years of experience in the areas of intellectual property, franchise, technology transfer, social media and unfair competition. *Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.

Author

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author

Kritiyanee joined Baker McKenzie in 2013 and is a partner in the Intellectual Property and Technology practice. She has experience in data protection, cyber security, and complex technology matters.

Author

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators. His practice focuses on IT, telecommunications, intellectual property, trade and commerce, and competition law matters.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Dominic is Special Counsel in Baker McKenzie's Intellectual Property and Technology Practice Group in Hong Kong.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

Marcia Lee is a special counsel in Baker McKenzie's Intellectual Property and Technology group based in Hong Kong. She focuses on privacy/data protection, technology, media & telecommunications, internet regulatory issues, consumer law protection, e-commerce, and healthcare.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author

Pattaraphan Paiboon is a Partner at Baker McKenzie's office in Bangkok. Pattaraphan focuses on telecommunications, broadcasting, IT/Communications, cybersecurity, data privacy and protection, and e-commerce law.

Author

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author

Marcela is an associate in Baker McKenzie's New York office.

Author

Anne is a partner based in Sydney. Her practice focuses on IT and telecommunications supply arrangements; understanding regulatory issues for online, telecommunications and IT businesses (in particular for data management); and trade regulatory and commercial contracting advice.

Author

Kensaku Takase is a partner in Baker McKenzie’s Tokyo office and is the Group Leader of the office's IP/IT/EC Practice Group. Mr. Takase is bilingual (Japanese and English) and focuses on intellectual property law, media law, and information technology law since 1999. He has assisted many companies in various industries with cross-border transactions in the trademark, copyright and design fields.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author

Alex Toh is a senior associate in Baker McKenzie's Singapore office.

Author

Carlos is one of Mexico's most active privacy, data protection and information security lawyers. He has implemented privacy management compliance programs for over 100 companies, including several Fortune 500 companies. He advises on corporate and commercial matters where privacy is an issue, including e-discovery, FCPA investigations, e-commerce, direct marketing, privacy in the workplace, litigation and M2M communications.

Author

Jo-Fan Yu is a partner and member of Baker McKenzie Information, Technology, Communications (IT/C) and Telecoms, Media, and Technology (TMT) groups in Taipei. Jo-Fan focuses her practice on ITC, media, telecom and dispute resolution.