The EU-US Data Privacy Framework (DPF)

0
205

By Robert Bond, Senior Counsel, Privacy Partnership Law

The EU-US Data Privacy Framework (DPF) was announced on the 10th July 2023[1] and replaces Privacy Shield which was declared unlawful by the European Court of Justice in July 2020[2]. It therefore seems that the Meta court decision is somewhat academic. I am sure that Meta will sign up with the Federal Trade Commission to the standards of the DPF as quickly as it can and then personal data will freely transfer for the EU (indeed from the EEA) to the US.

The adequacy decision of the DPF concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the DPF, without having to put in place additional data protection safeguards.

The DPF introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the Privacy Shield. For example, if the DPRC finds that data was collected in violation of the new safeguards, it will be able to order the deletion of the data. The new safeguards in the area of government access to data will complement the obligations that US companies importing data from EU will have to subscribe to. US companies will be able to join the DPF by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties.

EU individuals will benefit from several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.

The DPF is not, however, available to all US businesses. Organisations in the Banking and the Telecoms sectors are not regulated by the Federal Trade Commission and cannot rely on the DPF. They have to use other solutions such as the SCCs.

The safeguards put in place by the US will also facilitate transatlantic data flows more generally, since they apply when data is transferred by using other tools, such as SCCs and BCRs and as the DPF is an adequacy decision by the EU in respect of the data privacy regime in the US, this may simplify the EU transfer impact assessment requirements.

On the 10th July 2023 Max Schrems and NOYB quickly announced they would be file another case before the European Court of Justice.[3] The EU-US Data Privacy Framework may be a temporary solution.

The DPF and the EU SCCs are intended to provide data transfer solutions for personal data being transferred from the EU/EEA to the US. Many multinationals operate in other countries and so the DPF does not assist where personal data moves from China to the US or from South Africa to the US. This means that a multinational with offices in many countries around the world has to navigate different data transfer restrictions and requirements. 

Important operational updates on the EU-U.S. Data Privacy Framework from the US Department of Commerce

Some key elements below.

  1. U.S. based organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles must comply with the EU-U.S. DPF Principles, including by updating their privacy policies by October 10, 2023.
  2. Those organizations do not need to make a separate, initial self-certification submission to participate in the EU-U.S. DPF and may begin relying immediately on the EU-U.S. DPF adequacy decision to receive personal data transfers from the European Union / European Economic Area.
  3. The updating and renaming of the privacy principles under the EU-U.S. DPF does not change such an organization’s re-certification due date.
  4. Organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles, but do not wish to participate in the EU-U.S. DPF must complete in accordance with International Trade Administration (ITA) procedures the withdrawal process referred to in section (f) of the Supplemental Principle on Self-Certification.
  5. Effective July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, they may not begin relying on the UK Extension to the EU-U.S. DPF to receive personal data transfers from the United Kingdom (and Gibraltar) before the date that the United Kingdom’s anticipated adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force.
  6. On July 17, 2023, the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles will enter into effect. Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles must comply with the Swiss-U.S. DPF Principles, including by updating their privacy policies by October 17, 2023.
  7. On July 17, 2023, the ITA will launch the Data Privacy Framework (DPF) program website (https://lnkd.in/eng9mbNc) to enable U.S.-based organizations to make initial self-certification submissions to participate in the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF and to enable participating organizations to make their annual re-certification submissions for the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF.  The DPF program website will also provide a variety of guidance materials and related resources.

[1] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721

[2] https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf

[3] https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu