The European Commission has published its long-awaited draft of the new EU-US Data Privacy Framework, available here. The Data Privacy Framework will replace the Privacy Shield decision that was invalidated in July 2020 by the Schrems II decision (discussed here).
President Biden’s recent Executive Order paved the way for the new Data Privacy Framework by creating a significantly more robust right of redress for people in the EU, along with stronger guardrails and greater oversight for US intelligence agencies’ data privacy compliance. In the view of the European Commission, these changes to US governmental safeguards and redress mechanisms, coupled with compliance with the new Data Privacy Framework, will enable US data importers to guarantee that European personal data will be adequately protected.
Of course, this isn’t a done deal quite yet. The Commission’s draft Data Privacy Framework has now landed in the European Data Protection Board’s in-box. The EDPB represents the EU countries’ national data protection authorities, some of whom are likely to look askance at any promises by the US to modify its national security practices. After the EDPB’s review, representatives of the EU Council and the EU Parliament will weigh in. It will take months to align all of these stakeholders.
In the meantime, data privacy advisors and US data importers alike will be reviewing the draft Data Privacy Framework to drill down on how it differs from Privacy Shield. Organizations that are already GDPR-compliant should find the new Framework to be familiar ground. For others who are newer to GDPR, it would make sense to start preparing based on the current draft Framework, since the requirements for organizations are very likely to make it into the final version in some form.
And of course, while we dig into the draft Data Privacy Framework, we should remember that we have a deadline coming up on December 27, 2022 to migrate to the new (2021) version of the SCCs. See here and here for more on that topic.