For companies that conduct business in both the European Union and the United States, data transfers between the EU and the U.S. has long been a challenging process, primarily in light of the EU’s strict privacy regulation, the General Data Protection Regulation (GDPR). In order to facilitate data transfers between the EU and other countries, the EU has entered “adequacy determinations” as to some countries – meaning that the EU determined that those countries’ privacy protections were sufficient in order to protect the privacy of those EU citizens whose data might be transferred. Although the EU previously adopted an adequacy determination regarding the U.S., referred to as the Privacy Shield, it was struck down twice after it was challenged by Max Schrems, Honorary Chairman of NOYB (which stands for “None of Your Business”), a European digital rights non-profit.
Now, the EU and the U.S., both motivated by powerful business and political interests, are on the brink of finalizing a new data privacy framework. On December 13, 2022, the European Commission published its draft adequacy decision, recognizing the essential equivalence of U.S. data protection standards. This draft decision will now be examined, poked and prodded, and subject to nonbinding opinions from various European bodies such as the European Data Protection Board, the Council of the European Union, and European Parliament.
If the new adequacy decision passes this scrutiny, which EU officials hope it will by the summer of 2023, that will not be the end of the saga: Schrems has vowed to raise a third challenge over a range of concerns, stating that he “can’t see how this [adequacy decision] would survive a challenge.”
Many U.S. businesses who are eager for a free flow of data from the EU are awaiting the resolution of this sticky situation. Unfortunately, it may still be a long time before there is clear guidance as to what the data sharing process may look like. In the meanwhile, U.S. companies can use alternative means for data transfers, such as binding corporate rules (BCRs) and standard contractual clauses (SCCs).
- New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper
- EU-U.S. Data Privacy Framework Advances to the Next Stage
- Changes to GLBA Safeguards Rule Affect More Than Traditional Financial Institutions
- Ransomware and Phishing Dangers On the Rise
- FTC to Embark on New Privacy Rulemaking
- Hackers are Leveraging Fear during the COVID-19 Pandemic
- No Trespassing: Can Public Websites Ever Be Off Limits?
- Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator
- Cybersecurity - a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter
- Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies