The New EU-US Data Privacy Framework (DPF): Third Time's a Charm, or a Habit?
Introduction
On 10 July 2023, the European Commission issued its latest adequacy decision; namely, the European Union - United States Data Privacy Framework (EU-US DPF). Once again, the US is adequate … for now. After a couple years of drafting and negotiating, welcome to the third round of the epic EU-US trans-Atlantik data flow saga! If your organization processes the personal data of people in the European Union (e.g., you have a website visible in the EU that offers products or services, or you use marketing tools), you should keep reading closely.
Three Key Points
(1) US surveillance practices
Considering the Court of Justice of the European Union (CJEU) Schrems II decision, the US, through Executive Order (EO) 14086 (Federal Register), provides additional oversight of its signals intelligence practices. In a thoughtfully prepared memorandum, the Department of Justice (DoJ) articulates the necessity and proportionality of the minimum appropriate safeguards under the EO and designates the EU and EEA as “qualifying states” (noting, of course, that some European states still conduct bulk surveillance and offer fewer legal protections from state surveillance than the US).
(2) Redress
As authorized by EO 14086, the DoJ created the independent Data Protection Review Court (DPRC), which addresses another major concern of Schrems II. EU citizens now have a venue to voice their complaints.
(3) Data Protection Framework (DPF)
The DPF is the third generation of EU-US adequacy. The Department of Commerce (DoC) went live with its DPF website on Monday, 17 July. Like its predecessors, the DPF is a self-certifying data transfer mechanism for for-profit entities that transfer personal data between the US and the EU.
The new EU-US DPF will be reviewed by the Commission in one year, and thereafter it must be reviewed at least once every four years.
Important things to consider:
For now, continue to execute your transfer impact assessments (TIAs), but now you may reference the DPF and the Commission’s adequacy decision;
It is also prudent to continue to use standard contractual clauses (SCCs) and binding corporate rules (BCRs), if applicable. This is a sound belt and suspenders approach because you know Max Schrems is likely to file another challenge.
Update your privacy policies to reflect DPF guidelines if your business meets those standards and decides to self-certify.
If you still follow the EU-US Privacy Shield, your recertification date will not change. The DoC seems dedicated to making the transition to DPF as streamlined as possible.
The DoC will be extending DPF commitments to the United Kingdom (UK) (UK Extension). Expect this later in 2023. To qualify, an entity must first comply and certify with the EU-US DPF.
Sharing data with Swiss entities? A separate Switzerland-US framework will be available (Swiss-US DPF). Entities will need to separately certify for the Swiss and EU frameworks.
Next Steps
Review your organization’s approach to governance, risk, and compliance (GRC);
Review your data map and register of processing activities (if you don’t have one yet, let’s chat).
Review your contracts, specifically your data sharing agreements. Update language as needed.
Consider whether your organization has the time, resources, and desire to self-certify under the EU-US DPF or the other frameworks with the UK and Switzerland.
Conclusion
In sum, the new EU-US DPA provides the regulatory foundation that facilitates more streamlined transnational sharing of personal data across the Atlantic. This is good for business, for the time being. As always, consistent attention should be paid to your organization’s processes, policies, and agreements from a privacy compliance perspective.
Still have questions? As always, 1GDPA is here to support your privacy, cybersecurity, and risk programs. Take a look at our services and the industries we support, and please feel free to reach out for a free consultation.
Sources:
European Commission - Adequacy decision for the EU-US Data Privacy Framework
US Department of Commerce, International Trade Administration - Data Privacy Framework Program
US Department of Justice, Office of Privacy and Civil Liberties (EO 14086)