On 10 July 2023, the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. announced the long-awaited EU-US adequacy decision and confirmed the EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. (DPF) for EU-US data transfers, with immediate effect. This decision comes after years of negotiations between the EU and US, following the invalidation of the Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. in 2020.
The new Framework was effective as of 10 July 2023 and the US Department of Commerce launched the Data Privacy Framework (DPF) Program website on 17 July 2023.
The DPF is a welcome addition to the current transatlantic transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms of Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) and Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs). Organisations participating in the Framework do not need to implement additional data protection controls and safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... when transferring EU residents’ data from the European Economic Area (EEA) to the US. The Framework is intended to make transatlantic data flows easier, and the new safeguards put in place by the US will also facilitate SCCs and BCRs.
In a press release by the European Commission, President Ursula von der Leyen said, “The new EU-US Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic.”
The key principles are similar to those of the invalidated Privacy Shield:
In a bid to address the previous concerns that resulted in the failure of the Privacy Shield, the DPF incorporates new controls to provide stronger data protection safeguards:
The Framework will be reviewed periodically by the European Commission, representatives of EU data protection authorities and certain US authorities, with the first review to take place within one year of implementation.
European Commissioner for Justice, Didier Reynders stated confidence in the face of any challenges. However, within hours of the announcement, nyob stated they would be filing an appeal to invalidate the DPF.
Max Schrems tweeted: “…it is largely a copy of the old principles #WhatCouldGoWrong”.
Max Schrems is an Austrian data protection activist and Chair of the non-profit organisation, nyob. He became known for the Schrems II ruling, which resulted in the invalidation of the Privacy Shield framework. Max Schrems said the DPF is not substantially different to the Privacy Shield or the Safe Harbour Framework that preceded it.
As the US self-certification website has only recently gone live, nyob’s condemning judgement of the DPF could be seen as hasty. Only time will tell.
The Commission Implementing Decision states adequacy does not require identical levels of data protection in a third countryA country that is not part of the European Economic Area (EEA)., but a guarantee of protection that is “essentially equivalent”.
Rob Masson, CEO of The DPO Centre said: “With major EU countries supporting the Framework, and indications that substantial improvements have been made, we look forward to supporting our clients through this next phase of evolution of the international privacy landscape.”
EU to US data transfers:
US companies can self-certify their compliance with the DPF principles through the Data Privacy Framework (DPF) Program website. To be eligible for self-certification, US companies need to be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the US Department of Transportation (DoT).
Upon self-certification, the DPF principles become applicable immediately. Organisations that were previously self-certified to the EU-US Privacy Shield Framework Principles will be required to revise their privacy policiesA term used to describe a series of documents (such as Privacy Notices and Registers of Processing Activities) which are used to account and explain to data subjects how their data is to be processed (most commonly associated with website ‘privacy policies’). and make reference to the “EU-U.S. Data Privacy Framework Principles” instead. It is important for these organisations to include this updated reference as soon as possible, and at the latest, by 10 October 2023.
UK to US data transfers:
The UK and the US have reached a decision in principle to establish a “data-bridge”. This is the UK extension to the DPF, although it is not yet in force. Once it comes into effect, US companies must first self-certify to the EU DPF before adding on the UK DPF extension.
Companies planning to use the DPF for EU-US data transfers should include confirmation of this in their privacy noticeA clear, open and honest explanation of how an organisation processes personal data..
For more news and insights about The DPO Centre, follow us on LinkedIn
If you are seeking GDPR advice or need further guidance on EU-US data transfer compliance, please complete the form below and someone from the team will be in touch.
Fill in your details below and we’ll get back to you as soon as possible