The EU has announced the adoption of the EU-US Data Privacy Framework. The framework is intended to address the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision regarding the EU-US Privacy Shield. It provides a new mechanism for transfers of personal data to the United States. The framework is effective immediately.
What was the Privacy Shield?
The EU-US Privacy Shield was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. This transfer mechanism was invalidated by the CJEU in July 2020. Since then, companies subject to the GDPR wishing to transfer personal data to the United States have had to use alternative mechanisms (such as Standard Contractual Clauses) and complete assessments of the risks associated with the transfer.
What is the new EU-US Data Privacy Framework?
The new EU-US Data Privacy Framework (DPF) replaces the Privacy Shield. The key component of the DPF is the EU-US Data Privacy Framework Principles, issued by the U.S. Department of Commerce. The Department of Commerce has updated the principles found under the Privacy Shield to address the concerns identified in Schrems II. Like the Privacy Shield, companies in the United States can self-certify their adherence to these principles. The DPF is only available where the importer of the personal data to the United States has self-certified.
If you export personal data to the US, what should you do now?
You don’t have to do anything right now. Future transfers to processors or controllers in the United States will not require the use of Standard Contractual Clauses or other appropriate safeguards but only if the data importer is certified under the EU-US Data Privacy Framework Principles.
If you import personal data to the US, should you self-certify?
Yes, it may simplify things. Self-certification will allow your organisation to import personal data to the United States from the EU without the need for other appropriate safeguards, such as Standard Contractual Clauses and associated transfer impact assessments. This may make it easier for you to work with your clients, customers, or affiliates. We expect the process to be similar to Privacy Shield self-certification:
- confirm your eligibility to participate;
- develop a DPF compliant privacy policy statement;
- identify your organisation’s independent recourse mechanism;
- pay the required fee;
- ensure verification mechanisms are in place; and
- designate a contact regarding DPF.
Self-certification will be an annual process. If you don’t self-certify, the GDPR will require you to implement Standard Contractual Clauses (or other appropriate safeguards) and for you to complete transfer impact assessments for transfers from the EU to the US .
Is this new framework likely to be contested?
We understand that NYOB will challenge this framework in late 2023 or early 2024. However, any such challenge will take at least 2 years to reach a final decision.
How Impact Privacy can help
We will help our clients in the United States decide whether to self-certify and then help with the certification process. We will follow up with you shortly if you are an Impact Privacy client importing or exporting personal data between the EU and US. If you’re not an Impact Privacy client yet, contact us at [email protected] to learn more.