Earlier this week, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (the “Framework”) (see a link to the decision). An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries which, in the assessment of the European Commission, offer a comparable level of protection of personal data to that of the European Union. As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any further conditions or authorizations. It is important to note that adequacy decisions can be adapted or even withdrawn in case of developments affecting the level of protection in the third country.
On the basis of the new adequacy decision (which concludes that the US ensures an adequate level of protection, compared to that of the EU, for personal data transferred from the EU to US companies participating in the Framework), personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards. The adequacy decision entered into force with its adoption on July 10, 2023.
The Framework introduces new binding safeguards which address the concerns raised by the European Court of Justice in its previous decisions concerning transfers of personal data to the US, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
The safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.
US companies will be able to join the Framework by committing to comply with a detailed set of privacy obligations, such as purpose limitation, data minimization and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.
It remains to be seen whether the new Framework, like the Privacy Shield and Safe Harbor arrangements which were previously invalidated, will also face legal challenges or whether it will serve as a long-lasting framework for data transfers between the EU and the US. We will continue to monitor relevant developments and, as necessary, provide updates.
For further information regarding this update and other privacy protection and database management issues, please contact Adv. Ella Tevet, Partner, Head of the Intellectual Property and Privacy Department, at ellat@gkh-law.com or 03-6074588, or Adv. Roee Laor, Partner, at roeel@gkh–law.com or 03-6074588.
Goldfarb Gross Seligman & Co. Law Firm is one of the leading law firms in Israel, with over 520 attorneys. Goldfarb Gross Seligman & Co. specializes, both in Israel and abroad, in various fields of law including Mergers and Acquisitions, Capital Markets, Hi-Tech and Venture Capital, Healthcare and Life Science, Banking, Real Estate, Litigation, Antitrust, Energy & Project Financing, Administrative Law, Tenders and Municipal Government, Infrastructure, Environmental Law, Sustainability–ESG and Cleantech, Intellectual Property, Labor Law and Tax.
This alert is prepared as an informational service to clients and colleagues of Goldfarb Gross Seligman & Co. and the information presented is not intended to provide legal opinions or advice. Readers should seek professional legal advice regarding the matters about which they are particularly concerned.