Guide to EU-US Data Privacy Framework

A three-year period of uncertainty has ended as the European Commission adopted a revised EU-US Data Privacy Framework on 10 July 2023, providing a pathway for the smooth transfer of data between the European Union and the United States. 

The DPF replaces the EU-US Privacy Shield that was invalidated by the Schrems II judgement of 2020 and ensures an adequate level of protection for personal data that is transferred from the EU to the US. This article delves into the details of the DPF, its implications for businesses, and how organizations can comply with this new framework.

Important dates of Data Privacy Framework 

The EU-US Data Privacy Framework, also known as the DPF, is a data transfer agreement that allows organizations subject to the EU’s General Data Protection Regulation (GDPR) to transfer personal data to companies in the United States. The transfer will be made possible by ensuring that US companies will provide an adequate level of data protection equivalent to that of the EU.

With the new DPF companies can ensure the smooth flow of personal data without the need for additional contractual arrangements like Standard Contractual Clauses or Binding Corporate Rules. The new Framework also offers EU citizens an avenue to address and challenge privacy concerns related to any unauthorized access to their personal data. 

The DPF stems from the need to address concerns raised by the European Court of Justice (CJEU) in its Schrems I and II decisions, regarding the EU-US Privacy Shield and its predecessors. 

The previous data transfer frameworks

EU US Privacy Shield was a widely used legal mechanism for data transfer from the EU to the US. The CJEU invalidated the agreement in 2020 due to concerns over the lack of adequate safeguards for the personal data of EU citizens and surveillance by US government agencies.

Safe Harbor Framework was the legal predecessor to the Privacy Shield till 2015 when the CJEU invalidated the Framework for its failure to provide adequate protections for EU residents’ personal data.

On June 8, 2023, the UK and the US reached an agreement to establish a legal framework to facilitate the transfer of personal data from the UK to the US. The proposed “data bridge” will serve as a UK extension of the EU-US Data Privacy Framework.

US companies that are part of the Data Privacy Framework can undergo self-certification for the UK extension of the DPF. However, these organizations are not allowed to utilise the DPF for transferring UK personal data until the UK adequacy decision is finalised. 

The Swiss-US Data Privacy Framework (Swiss-US DPF) will enter into effect on July 17, 2023. Companies that are certified under the Swiss-US Privacy Shield Framework can opt to switch to the new Swiss-US DPF. 

However, similar to the UK, data transfers will only be permitted until it is officially recognized by the Swiss Federal Administration and its adequacy decision becomes effective.

Adequacy decision

The European Commission’s adoption of an adequacy decision establishes that the United States provides a degree of personal data protection that meets the criteria of the GDPR. It means that organisations can transfer personal data to companies in the United States without requiring additional safeguards such as such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Privacy Principles

The EU-US DPF is based on a set of core principles, including:

• Purpose limitation and choice
• Special safeguards for processing special categories of data 
• Data accuracy, minimization, and security
• Transparency
• Individual rights
• Restrictions on onward transfers (to a third party or outside the US) 
• Accountability

DPF certification

Companies in the United States that want to take advantage of the new Data Privacy Framework must certify their participation. By joining the DPF, the organisations pledge to adhere to the privacy principles and will become adequate data recipients according to Articles 44 and 45 of the GDPR. The certification process will be handled by the US Department of Commerce (DoC). 

Limiting access by US intelligence

The Data Privacy Framework limits access by US intelligence to what is “necessary and proportionate” to national security and establishes an independent redressal mechanism for any alleged violation of the data rights of Europeans.

Data Protection Review Court 

The Data Protection Review Court (DPRC) is an independent review body established by the DPF to address concerns about US intelligence agencies’ access to personal data. The DPRC will hear appeals from European citizens and resolve complaints independently, with the authority to impose corrective measures.

Deletion of personal data

US companies are obligated to delete personal data when it is “no longer necessary for the purpose for which it was collected”. Additionally, companies that fail to comply with the principles, or are removed from the DPF or voluntarily withdraw from it, must return or delete the personal data received under the Framework.

To comply with the DPF, organisations must take steps and implement appropriate measures to ensure the protection of personal data transferred to the United States. 

It is important to note that the DPF is not a one-size-fits-all solution. While it offers advantages over SCCs and BCRs, organisations must carefully consider their specific requirements and circumstances before deciding whether to rely solely on the DPF or employ additional safeguards.

Here are the key considerations for compliance with DPF:

1. Obtain self-certification

To benefit from the DPF, US companies must certify their participation by October 10, 2023. This process involves demonstrating compliance with the privacy principles outlined in the framework. Certification signals a commitment to data privacy and can enhance an organization’s reputation in terms of data protection. The DoC will maintain a publically available Data Privacy Framework List of organizations that have certified their compliance with the framework.

Case 1: Companies that want to self-certify under DPF

Companies that would like to self-certify for DPF must submit an application that confirms the company’s compliance with the principles and specific provisions. 

Case 2: Companies currently certified under Privacy Shield 

Companies that are actively certified under the EU-US Privacy Shield may begin to rely on the EU-US DPF if they believe they are compliant. These companies do not have to make a separate, initial self-certification to the DPF. They must, however, update your privacy policy and principles per the requirements of DPF, no later than October 10, 2023.

Case 3: Companies with lapsed Privacy Shield certification

Companies that have a lapsed Privacy Shield certification or those that have previously withdrawn from it will be required to re-certify with the Data Protection Framework (DPF). These companies can use the account credentials under Privacy Shield to log into the DPF website.

Case 4: Privacy Shield companies that want to withdraw from DPF

Companies with Privacy Shield certifications that do not wish to participate in the DPF must complete the process to formally withdraw from the Privacy Shield/DPF. They are required to notify the DoC in advance and indicate what the company will do with the personal data that it received in reliance on the EU-US DPF.

2. Comply with privacy principles

Organizations must understand and adhere to the privacy principles set out in the DPF. These principles include limitations on data collection, purpose limitation, data retention, and individual rights. By implementing robust privacy practices and policies, organizations can demonstrate their commitment to protecting personal data.

3. Revised privacy policy

Transparency is a crucial aspect of compliance with the DPF. Organizations should provide clear and accessible information to individuals via a privacy policy, regarding their data processing activities, including the purposes for which data is collected and the rights individuals have regarding their data. Organizations are required to update or revise their privacy policies as per the core principles of DPF.

Also ensure that your organization’s privacy policy is readily available, both on the website and via a hyperlink on the DoC’s website.

4. Implement a redressal mechanism

Any participating organization is required to offer simple and accessible ways for people to raise complaints and get them resolved quickly and fairly without any cost to the individuals. Companies must respond to individuals within 45 days.

Additionally, they must also implement an independent redressal mechanism to provide recourse for individuals who are affected by non-compliance.

The Department of Commerce (DoC) will process certifications and monitor ongoing compliance. The Federal Trade Commission (FTC) and the Department of Transportation (DoT) have the investigatory and enforcement powers to ensure compliance with the EU-US DPF.

The FTC can enforce compliance through administrative or federal court orders and can seek injunctions or other remedies to ensure compliance. They can also impose financial penalties, and other remedies, including compensation for any harm caused by unlawful conduct.

Organizations that persistently violate the principles, will be removed from the DPF List, and are required to return or delete all personal data obtained under the EU-US DPF.

Is the EU-US Privacy Shield still valid?

No, the EU-US Privacy Shield is no longer a valid mechanism for transferring personal data from the European Economic Area to the United States. It was struck down by the Court of Justice of the European Union on July 16, 2020, in the Schrems II ruling. The CJEU’s decision was influenced by two main factors: First, the insufficient level of personal data protection in the US and second, the access and usage of EU citizens’ personal data by US authorities.

What is an adequacy decision in GDPR?

An adequacy decision is a formal decision made by the EU that permits cross-border data transfer from the EU to a country, territory, sector or international organisation outside the EU if it provides an equivalent level of protection for personal data as the EU does. Article 45(2) of the GDPR sets out the rules for assessing the adequate level of protection.

What is the adequacy decision of the European Commission?

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). The Adequacy Decision ascertains that companies that have self-certified their adherence to the DPF ensure an adequate level of protection for personal data transferred from the EU to the US. 

When can companies certify under the new EU-US DPF?

Companies that are not currently certified under the previous EU US Privacy Shield programme will need to create an account on the new DPF website and apply for certification.

Companies who are currently still certified to the Privacy Shield will be automatically switched to the DPF. However, they must comply with the DPF requirements by October 10, 2023, which includes amending privacy policies and renaming the privacy principles to reflect the DPF.

Are Transfer Impact Assessments required under DPF?

Organizations in the US that do not wish to rely solely on the new Data Privacy framework must perform Transfer Impact Assessments (TIAs). TIAs are required under the CJEU’s Schrems II ruling and help assess the risks associated with transferring personal data to countries outside the EU.