After years of negotiations, on the 10th of July 2023, the European Commission finally affirmed that the US now provides an adequate level of protection for personal data transferred from the EU under the newly established Data Privacy Framework (DPF). With this new adequacy decision, personal data can again be securely transferred from the EU to US companies participating in the DPF, without the need for extra data protection measures.
👉 Get an EU-US DPF self-certification for your business
Who is this article for?
This article should be highly relevant for:
- US-based organizations that regularly receive personal data from the EU, which should cover various B2B and B2C businesses such as IT service providers, consulting firms, marketing and recruitment agencies, as well as other types of organizations like non-profit institutions or charities.
- Entities that must adhere to the GDPR and operate within the EU's data protection regime.
The article offers practical guidance for businesses transferring personal data between the EU and the US, and provides insights into the latest updates in regulations governing this matter.
Background: the evolution and challenges of EU-US data transfers
Since 2000, data transfers between the EU and the US have relied on various mechanisms allowing relatively unrestricted data flow. These mechanisms involved self-certification by US companies, whereas by implementing data protection measures to align with EU standards, they gained the ability to freely transfer personal data between the EU and the US.
However, such frameworks faced challenges due to revelations of US mass surveillance by Edward Snowden, criticism of weak enforcement, and data protection measures falling behind the EU norms. This resulted in their invalidation multiple times, most notably in 2020 with the CJEU's Schrems II ruling that struck down the latest “Privacy Shield” framework.
Following the invalidations, companies transferring personal data to the US were required to adopt more complex data transfer mechanisms to protect against unauthorized US government surveillance. As a result, US-based services lacking adequate protection against unauthorized data access by the US government faced a de facto ban.
Substantial fines reaching millions of euros were imposed for utilizing services like Google Analytics without appropriate additional safeguards, e.g., pseudonymization (the decisions in Austria, France and Italy). In some cases, regulators went as far as prohibiting public authorities from using Google services altogether, such as in Denmark.
The situation created legal and technical hurdles for EU-originating data transfers to the US, causing delays and expenses for businesses.
How to benefit from the Data Privacy Framework
With the adoption of this adequacy decision, US companies will soon be able to apply for the DPF certification by pledging to adhere to a comprehensive set of privacy obligations. The certification process can be initiated at https://www.dataprivacyframework.gov/s/. The website is currently being updated and will be launched on 17th July. From this date onwards, self-certifications can start and all related documents (e.g., principles, guidance, etc.) will be available for familiarization.
Despite this, it may be a good idea not to rush into certification just yet. As the decision has been made very recently, both US and EU data protection authorities have yet to provide guidance on the matter. For example, the European Data Protection Board (EDPB) has only made a brief announcement so far, stating that they will be releasing further information about the DPF implications for stakeholders in the coming weeks.
Companies that were self-certified under the older EU-US Privacy Shield invalidated by the Schrems II decision mentioned earlier should be able to automatically transition to the DPF. To do so, they must update their privacy policies and ensure compliance with the principles outlined in the DPF.
📚 Learn more: what is DPF self-certification for businesses?
Implications for data transfers from the UK and Switzerland
Starting from 17th July, organizations should also have the option to certify under the UK "extension" of the EU-US DPF. However, UK-US data transfers under the DPF will only start after the UK enacts its DPF adequacy regulations. A US-UK Joint Statement on Data Adequacy, published in June 2023, affirms the UK's imminent implementation of its DPF.
The Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) will be implemented in the same manner as its EU-U.S. counterpart. According to the recent statement by the Swiss Federal Data Protection and Information Commissioner, the Swiss-U.S. DPF should take place between Switzerland and the USA within a few months.
Will the Data Privacy Framework face the same fate as the previous frameworks?
Following the DPF announcement, noyb, the privacy advocacy organization behind the Schrems II ruling, has announced that it is preparing to challenge this decision. According to noyb, despite the European Commission's efforts, there have been minimal changes in US law or the EU's approach, and the new framework closely resembles the previous Privacy Shield mechanism.
They specifically noted that the fundamental issue regarding the US regulation FISA 702, which authorizes unproportionate surveillance by US intelligence agencies, remains unaddressed. Given their involvement in the previous landmark case, it is anticipated that noyb's challenge may lead the matter back to the Court of Justice (CJEU) in the coming months.
Still, considering the notorious judicial procedures of the CJEU, it is safe to estimate that it may take noyb at least several years to strike down the new framework. In addition, there is no guarantee that the CJEU will rule in their favor, as vital business interests of the EU will have to be considered when making its ruling.
👉 Get help with EU-US DPF self-certification for your business
Additional Resources and Updates
For your convenience, we have collected the following resources in relation to the topic:
🔗 On 10th July, the EC issued a press release announcing the new adequacy decision for secure and trusted EU-US data flows.
🔗 To get a detailed understanding of the decision on the EU-US Data Privacy Framework, you can download the decision here.
🔗 A comprehensive Q&A was also released by the EC to provide further insights into the new framework.
🔗 A factsheet providing a succinct overview of the EU-US Data Privacy Framework was also released by the European Commission on 10th July.
Start your certification journey with Legal Nodes
If you are a US-based organization receiving personal data from the EU, and are interested in obtaining DPC certification, you can take proactive steps to begin this process by consulting with a privacy expert at Legal Nodes.
With the details of certification becoming certain in the next weeks, now is the best time to take advantage of the new ruling and alleviate the regulatory burden associated with alternative data transfer measures. By working with us, we can assist your organization in navigating compliance with the new framework, ensuring a seamless transition from current to new regulation and reducing your EU’s clients regulatory risks for your engagement.
Please note that the information provided in this article does not constitute legal or any other type of advice and is provided for information purposes only.
Ensure compliance with the new DPF framework
Kostiantyn holds a certification as an Information Privacy Professional in Europe (CIPP/E). Fuelled by his passion for law and technology, he is committed to the protection of fundamental human rights, including data protection. He adds a musical touch to his repertoire as an enthusiastic jazz pianist in his spare time.
