The New EU-US Data Privacy Framework (DPF): Third Time's a Charm, or a Habit?

Introduction

On 10 July 2023, the European Commission issued its latest adequacy decision; namely, the European Union - United States Data Privacy Framework (EU-US DPF). Once again, the US is adequate … for now. After a couple years of drafting and negotiating, welcome to the third round of the epic EU-US trans-Atlantik data flow saga! If your organization processes the personal data of people in the European Union (e.g., you have a website visible in the EU that offers products or services, or you use marketing tools), you should keep reading closely.

1GDPA hand shake between EU and US flags

The EU-US Data Privacy Framework is the third iteration of a transatlantic adequacy regime for sharing personal data.

Three Key Points

(1) US surveillance practices

Considering the Court of Justice of the European Union (CJEU) Schrems II decision, the US, through Executive Order (EO) 14086 (Federal Register), provides additional oversight of its signals intelligence practices. In a thoughtfully prepared memorandum, the Department of Justice (DoJ) articulates the necessity and proportionality of the minimum appropriate safeguards under the EO and designates the EU and EEA as “qualifying states” (noting, of course, that some European states still conduct bulk surveillance and offer fewer legal protections from state surveillance than the US).

(2) Redress

As authorized by EO 14086, the DoJ created the independent Data Protection Review Court (DPRC), which addresses another major concern of Schrems II. EU citizens now have a venue to voice their complaints.

(3) Data Protection Framework (DPF)

The DPF is the third generation of EU-US adequacy. The Department of Commerce (DoC) went live with its DPF website on Monday, 17 July. Like its predecessors, the DPF is a self-certifying data transfer mechanism for for-profit entities that transfer personal data between the US and the EU.

The new EU-US DPF will be reviewed by the Commission in one year, and thereafter it must be reviewed at least once every four years.

Two men signing documents with US and EU flags in foreground

The Court of Justice of the European Union (CJEU) invalidated two prior adequacy decisions - Privacy Safe-harbor and the Privacy Shield.

Important things to consider:

  • For now, continue to execute your transfer impact assessments (TIAs), but now you may reference the DPF and the Commission’s adequacy decision;

  • It is also prudent to continue to use standard contractual clauses (SCCs) and binding corporate rules (BCRs), if applicable. This is a sound belt and suspenders approach because you know Max Schrems is likely to file another challenge.

  • Update your privacy policies to reflect DPF guidelines if your business meets those standards and decides to self-certify.

  • If you still follow the EU-US Privacy Shield, your recertification date will not change. The DoC seems dedicated to making the transition to DPF as streamlined as possible.

  • The DoC will be extending DPF commitments to the United Kingdom (UK) (UK Extension). Expect this later in 2023. To qualify, an entity must first comply and certify with the EU-US DPF.

  • Sharing data with Swiss entities? A separate Switzerland-US framework will be available (Swiss-US DPF). Entities will need to separately certify for the Swiss and EU frameworks.

US and EU flags draped across each other

If your business targets potential customers in the European Union, or if you plan to expand operations in the EU and other countries with comprehensive privacy regulations, you must step up your data governance and compliance practices.

Next Steps

  1. Review your organization’s approach to governance, risk, and compliance (GRC);

  2. Review your data map and register of processing activities (if you don’t have one yet, let’s chat).

  3. Review your contracts, specifically your data sharing agreements. Update language as needed.

  4. Consider whether your organization has the time, resources, and desire to self-certify under the EU-US DPF or the other frameworks with the UK and Switzerland.

Conclusion

In sum, the new EU-US DPA provides the regulatory foundation that facilitates more streamlined transnational sharing of personal data across the Atlantic. This is good for business, for the time being. As always, consistent attention should be paid to your organization’s processes, policies, and agreements from a privacy compliance perspective.

Still have questions? As always, 1GDPA is here to support your privacy, cybersecurity, and risk programs. Take a look at our services and the industries we support, and please feel free to reach out for a free consultation.

Sources:

1GDPA logo in blue

1 Global Data Protection Advisors

#1GDPA delivers data protection solutions that empower organizations to thrive.

Get "stuff" done anywhere in the world. Protect data. Earn trust. Innovate.

info@1gdpa.com

Previous
Previous

Seven Important Data Protection Threats All Organizations Should Track