What Does the EU-US Data Privacy Framework Mean for Your Business?

Frank Curci, Leah Lively, Akana Ma, Christina Morgan, Steven Nakasone
Buchalter
Contact
LinkedIn
Facebook
X
Send
Embed

Buchalter

If you have been doing business with entities in the European Union, chances are that you have struggled to figure out how to transfer data from the EU to the US without running afoul of the General Data Protection Regulation (GDPR). You are not alone. The EU and US have struggled to create “adequate” safeguards for the transfer of personal data since 2000.

The first set of guidelines, the Safe Harbor Privacy Principles, was adopted in 2000. However, a legal challenge was brought, and, in 2015, the guidelines were invalidated. In 2016, the EU-US Privacy Shield Framework was unveiled. In 2020, privacy activists persuaded the Court of Justice of the European Union to invalidate this framework as well.

After several years of waiting, on July 10, 2023, the European Commission issued its third set of guidelines – the EU-US Data Privacy Framework (DPF). The Department of Commerce has created a website for US companies to self-certify compliance with the DPF. To be considered in compliance, US companies are required to:

• inform individuals of their rights under the DPF
• create a dispute resolution process for addressing data subject complaints
• cooperate with the Department of Commerce’s International Trade Administration
• maintain data integrity and limit collection based on the purpose of collection
• ensure accountability for data transferred to third parties, including entering into a data processing agreement with the third parties
• publicly share DPF compliance or assessment reports following an FTC or court order of non-compliance
• commit to apply DPF principles to data collected while participating in the framework, even if the company later leaves the DPF program

Only companies who have self-certified through the US Department of Commerce that they are compliant with the DPF may rely on the framework’s provisions when transferring data from the EU to the US. Companies that self-certified under the former Privacy Shield program have the option of re-certifying under the DPF or withdrawing.

Companies that do not self-certify under the DPF must rely on alternate mechanisms, such as robust standard contractual clauses, to transfer personal data outside the European Economic Area. Small and medium-sized businesses may find self-certifying less cumbersome than the alternative; however, there are burdens and benefits to both approaches.

When deciding how to proceed, it is important to note that both the EU company transferring personal data and the US company receiving personal data can be liable under the GDPR if adequate safeguards are not in place. Further, the Data Protection Review Court has the power to order companies to delete personal data that was collected in violation of the DPF’s adequacy safeguards.

Companies should also consider the possibility that the DPF will be overturned, like previous guidelines, because its protections are inadequate. Indeed, the first legal challenge to the DPF was filed on September 8, 2023.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Buchalter | Attorney Advertising

Written by:

Buchalter
Buchalter
Contact
more
less

Buchalter on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide