On 10 July, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). This decision concluded that the United States ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the European Economic Area (EEA) – which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein EU – to US companies participating in the EU-U.S. Data Privacy Framework without the need for additional data protection safeguards.
History of the DPF Agreement and Key Principles
The DPF replaces the Privacy Shield Framework (Privacy Shield) which was invalidated by the Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020 (case known as Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), because it did not sufficiently consider US intelligence agencies’ authority to access EU personal data in the US. More specifically, the US’s legal frameworks for surveillance did not limit data collection to that which is strictly necessary and proportionate to legitimate national security objectives.
In order to address the issues raised by the Court of Justice in its Schrems II judgment, on 7 October 2022, the US White House published an Executive Order on enhancing safeguards for United States signals intelligence activities (EO 14086) that is accompanied by regulations adopted by the Attorney General.
The EO 14086 introduces new binding safeguards to limit the U.S. intelligence authorities access to data and establishes an independent and impartial redress mechanism to investigate and resolve complaints regarding access to data by U.S. national security authorities.
The adequacy decision relies to a large extent on the changes to U.S. law implemented by the EO 14086.
What is the EU-U.S. Data Privacy Framework?
Like the Privacy Shield, the DPF is a package of measures designed to govern how personal data is protected when transferred from the EU to the US by businesses that self-certify to the framework. The certified U.S. organizations have to commit to a set of core principles including: notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; recourse, enforcement and liability. The principles apply immediately upon self-certification that is subject to an annual re-certification.
The DPF provides EU individuals whose data would be transferred to certified companies in the US with several new rights, for example: to obtain access to their data, or obtain correction or deletion of incorrect or unlawfully handled data. In addition, it offers different redress avenues in case their data is wrongly handled, including free of charge independent dispute resolution mechanisms and an arbitration panel.
The self-certification to the DPF privacy principles is only open to organizations regulated by the US Federal Trade Commission and US Department of Transportation. As a result, certain industries, such as banks and insurance companies, are excluded from certifying. However, technology providers working with these companies still fall under the DPF.
Companies already signed up to the Privacy Shield will likely be offered an easy transition to the DPF.
On 17 July, the U.S. Department of Commerce (DoC) launched the Data Privacy Framework program website, where U.S.-based organizations can submit for self-certification and find information on participating companies and more. In fact, the DPF monitoring activities are those of the DoC that will also maintain and make available to the public the Data Privacy Framework List of organizations that have certified their adherence to the principles.
Implications for Businesses: Challenges and Opportunities
Since 10 July 2023 transfers from the EU to organizations in the US that are included in the Data Privacy Framework List may be based on the Adequacy Decision, without the need to rely on Article 46 GDPR transfer tools: e.g. standard data protection clauses (SCCs), binding corporate rules (BCRs).
But as stated above there are organizations ineligible to the DPF or that prefer not to rely on the DPF.
Therefore, to determine the applicability of the DPF, a thorough assessment is required to see whether the US company is certifiable, whether it is certified, and whether the products and services offered to the European company are certified. If any of these elements are not met, the data transfer regime in effect before July 10, 2023: will still need to use SCCs, BCRs, or another transfer mechanism and carry out a so-called Transfer Impact Assessment (TIA).
Finally, it should be noted that the functioning of the DPF will be subject to periodic reviews, to be carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities. So, the framework could change in the next future.
Ensure compliance in your business.
Strategies for Managing Personal Data in a Transatlantic Environment
Businesses transferring data to the US must face now major changes in their Privacy management models. CyberSec Privacy Advisory professionals can provide the services you need to comply to regulations and to be aligned with the updating of the legal framework.
BIP CyberSec has developed a methodological approach to assist organizations in evaluating the transfer of data to the third country (Transfer Impact Assessment) in 5 steps:
- preliminary analysis of the transfer and identification of appropriate safeguards under Article 46 GDPR, with a focus of the recipient country’s regulatory framework;
- classification of transfer according to the type of data recipient (intra-group transfers, to third parties, to technology providers, etc.);
- risk analysis: assessment of the risks associated with the third country data importer and the risks to the protection of the transferred data, considering the possible impacts to data subjects derived from their breach;
- Impact assessment considering the various factors involved including the legislation of the importing country, the data flow and tools used, the category of data transferred, any subsequent transfers, etc.
- Remediation Plan, in order to take the necessary safeguards and security measures required according to the data protection risk identified.
Contact us to schedule a meeting with our experts.