In a significant milestone for EU-U.S. cross-border transfers of personal data under Article 45 of the General Data Protection Regulation (GDPR), the European Commission adopted an adequacy decision for the new EU-U.S. Data Privacy Framework (DPF) on July 10, 2023. The DPF allows organizations that have self-certified with the DPF to transfer data from the EU to the U.S. without the need for additional transfer mechanisms.
Background
To comply with the GDPR, companies that transfer data from the European Economic Area (EEA) to countries outside the EEA must do so pursuant to a valid transfer mechanism. The EU-U.S. Privacy Shield (Privacy Shield), designed by the U.S. Department of Commerce, was one such mechanism that established a legal framework for regulating transatlantic exchanges of personal data for commercial purposes. Unfortunately, the Privacy Shield was invalidated as a transfer mechanism following the Schrems II decision (July 2020) by the Court of Justice of the European Union based on invasive U.S. surveillance programs. After Schrems II and under guidance from the European Data Protection Board, U.S. companies relied on binding corporate rules and standard contractual clauses (SCCs) for maintaining cross-border data transfers. The DPF addresses the concerns of Schrems II that resulted in the Privacy Shield being invalidated.
EU-U.S. Data Privacy Framework
U.S. companies can use the new DPF to ensure an adequate level of personal data protection that is comparable to the standard under the GDPR. By participating in the DPF, companies can forgo additional data protection safeguards such as the SCCs.
According to a press release from the European Commission, the DPF comes with “significant improvements” in the form of binding safeguards that address the EU Court of Justice’s issues with the Privacy Shield, including limitations to U.S. surveillance services’ access to EU data “to what is necessary and proportionate” and a new Data Protection Review Court.
Implementation
To join the DPF, U.S. organizations must commit to comply with a detailed set of privacy obligations that will remain substantively the same as those under the Privacy Shield and are now available in detail on the DPF site, which launched today7. For example, organizations must agree to a consumer right to delete personal data and to the continued protection of personal data that is shared with third parties. The DPF will be administered and monitored by the Department of Commerce with enforcement by the U.S. Federal Trade Commission.
It is worth noting that the DPF may not be the final word as legal challenges are expected similar to the Schrems II challenge that affected the viability of Privacy Shield. Furthermore, the DPF does not affect data residency requirements that may be in place in other countries and does not affect the requirements for Data Protection Impact Assessments or Privacy by Design requirements under the GDPR.
Recommendation
Organizations currently self-certified under the Privacy Shield will have access to a streamlined certification process under the DPF.
Organizations that are not currently certified under the Privacy Shield can apply for the DPF beginning July 17, 2023. Self-certification to the DPF will simplify GDPR compliance for organizations transferring personal data from the EEA to the U.S. Organizations currently using the SCCs should consider whether the DPF is a more appropriate transfer solution, especially given the administrative burden associated with implementing the SCCs. The DPF website sets for the key requirements for participating in the DPF here.
