Event 14 Oct. 2022
Curtis Provides Capacity Training to the Government of Uganda
more
Event 21 Sep. 2022
Kalidou Gadio Speaks at AIEN 2022 International Energy Summit
News 16 Dec. 2022
Curtis Trade Team is top ranked in Chambers Asia-Pacific 2023
Event 06 Dec. 2022
George Kahale Lectures on "Key Issues Facing States in ISDS" at Rashtriya Raksha University
News 24 Feb. 2023
Clients Praise Curtis in Chambers Global 2023 Launch
Event 21 Feb. 2023
Susan Maples Speaks at the Green Hydrogen Organisation Webinar Series on Green Hydrogen Contracting
Publications 23 Feb. 2023
Fernando Tupa Publishes Book on Forum-Specific Consent to International Arbitration in Investment Agreements
Event 22 Nov. 2022
Elisa Botero and Fernando Tupa to speak at the XVI International Congress of Arbitration in Lima, Perú
News 27 Sep. 2022
Curtis Boosts Riyadh Office with New Corporate Partner Stuart Davies
News 16 Aug. 2022
Curtis Delivers More Firsts for the Government of Oman in its Defense Against U.S. Trade Measures
Pro Bono 23 Feb. 2023
Curtis Lawyers Successfully Defend Pro Bono Client in Deportation Proceedings
News 06 Mar. 2023
Russia Sanctions at the First Anniversary: An Overview of Current Sanctions in the US, UK, and EU and How Global Companies Can Navigate Evolving and Conflicting Sanctions Regimes
Client Alert 30 Aug. 2022
The EU Adopts the “Maintenance and Alignment” Sanctions Package
Client Alert 24 Jun. 2021
Update on Virtual Notarization (Executive Order 202.7) During the COVID-19 (Coronavirus) Pandemic (Updated: June 24, 2021) — U.S. Insight
Update on Virtual Witnessing (New York Executive Order 202.14) During The COVID-19 (Coronavirus) Pandemic (Updated: June 24, 2021) — U.S. Insight
Client Alert 08 Mar. 2023
Download the full alert with footnotes.
Last week the European Data Protection Board (EDPB) adopted its opinion on the European Commission’s draft adequacy decision on the EU-US Data Privacy Framework. While the EDPB welcomes several updates to the Framework’s principles, such as the new requirements around necessity and proportionality in US intelligence gathering activities, it still harbors concerns about aspects of the draft decision, such as the rights of data subjects, the protections governing onward transfers of data, and the scope of exemptions. The EDPB recommended the Commission provide clarity on these points.
The current draft adequacy decision, announced by the Commission in December 2022, is the latest iteration in a years’ long effort to build an EU-US data transfer framework. Under the EU’s data privacy law, the GDPR, data transfers from the EU to other countries are only permissible under circumstances. Under Article 45 of the statute, an entity may transfer EU personal data to a foreign country that the EU has determined ensures an “adequate level of protection for personal data.” Fourteen countries have that status. For all other countries, any transfer of EU personal data to them must comply with Articles 46 and 49 of the GDPR.
The US previously had adequacy under the EU and US’s Privacy Shield, a framework adopted in 2016. However, in 2020 the Court of Justice of the European Union struck down that adequacy decision due to concerns over US intelligence surveillance and data collection. The Court had previously struck down an earlier US adequacy decision as well for similar reasons.
In the wake of this decision, the EU and US worked to negotiate a new trans-Atlantic data transfer framework. On March 25, 2022 President Biden and European Commission President von der Leyen announced that the EU and the US had reached an “agreement in principle.”
In October 2022, President Biden signed an Executive Order to implement that agreement. In particular, the Executive Order:
On October 7, 2022, the Attorney General signed a new regulation establishing the Data Protection Review Court (DPRC), which will review determinations made by the Office of the Director of National Intelligence’s Civil Liberties Protection Officer in response to qualifying complaints alleging violations of US law in the conduct of US signals intelligence activities. While legal professionals will serve as the judges for the DPRC, the Court is not part of the judicial system and is instead housed within the Executive branch.
Implementation is in progress on the EU side as well. The European Commission’s draft adequacy decision concludes that the US legal framework provides comparable safeguards to those of the EU and, as discussed above, the European Data Protection Board has completed its non-binding review of the draft and issued an opinion.
On February 14, 2023, the European Parliamentary Committee on Civil Liberties, Justice, and Home Affairs issued a draft resolution, recommending that the European Commission reject the proposed EU-US Data Privacy Framework. The Committee maintains that the Framework fails to comply with the GDPR and remains concerned with the ongoing US policy allowing for the large-scale, warrantless collection of user data for national security reasons. The Committee is also concerned that the Executive Order implementing the agreement is too vague and that the Order could be easily reversed or modified on the US side. The Committee also noted the US’s lack of a federal data protection law.
The Committee’s approval is not required for the Commission’s adequacy decision to be adopted, however, and the approval process can continue to progress. The Commission may consider the feedback from the EDPB and the Parliamentary Committee and make revisions to its draft. The Commission will then submit the draft decision to the approval of the EU member states. Once the member states have approved the draft decision, the European Commission can formally adopt it.
After the adequacy decision enters into force, US companies will be able to join the EU-US Data Privacy Framework by committing to comply with certain privacy obligations. The decision will be subject to periodic review by the Commission together with European data protection authorities and US authorities to assess the functioning and implementation of the framework.
In the meantime, there is no adequacy decision in place so transfers of EU data to the US are governed by Articles 46 and 49 of the GDPR. Companies operating in this space should look to those rules and continue to rely on standard contractual clauses and binding corporate rules supported by transfer impact assessments.
About Curtis
Curtis, Mallet-Prevost, Colt & Mosle LLP is a leading international law firm. Headquartered in New York, Curtis has 19 offices in the United States, Latin America, Europe, the Middle East and Asia. Curtis represents a wide range of clients, including multinational corporations and financial institutions, governments and state-owned companies, money managers, sovereign wealth funds, family-owned businesses, individuals and entrepreneurs. The firm is particularly active on behalf of clients operating in the energy and renewable energy, commodities, telecommunications, manufacturing, transportation and technology industries.
Attorney advertising. The material contained in this Client Alert is only a general review of the subjects covered and does not constitute legal advice. No legal or business decision should be based on its contents.
Data Protection and Privacy Law
Jonathan J. Walsh
Partner
Vadim Belinskiy
Associate
Allesandra Tyler
New York
+1 212 696 6000
Client Alert 21 Mar. 2023
Crypto Shakedown: Employees and Insiders of Fallen Crypto Entities Should Expect to Be Subpoenaed
EU-US Data Privacy Framework Progresses through EU Approval Process
Is Congress Getting Closer to Enacting Comprehensive Federal Data Privacy Legislation?
We use cookies on our website to enhance your browsing experience, match your interests and assess our website performance. We do not share information with any third-party for marketing purposes. Please view our privacy policy to learn more about the use of cookies on our website. By continuing to browse our website, you consent to our use of cookies.