What does the new EU-US Data Privacy Framework mean for GDPR compliance?

The EU has given a long-awaited adequacy decision to the US, allowing for the free flow of personal data from EU based companies to participating US companies which have signed up to the Data Privacy Framework (DPF). Crucially, these companies will not need further safeguards like Standard Contractual Clauses and is in force from 17 July 2023.

Despite continuing criticism from privacy campaigners who have vowed to overturn this decision, the EU Commission’s approval of the DPF seems to sit on firmer legal ground. The EU Commission has found that data transferred to companies located in the United States which have joined the DPF is subject to a standard of protection which is essentially equivalent to that of the European Union.

The adequacy decision confirms that, at least in the opinion of the European Commission, the measures put in place by the US are sufficient to address the concerns raised by the Court of Justice in the Schrems II case which invalidated the former Privacy Shield. 

What is the Data Privacy Framework?

The DPF is a modification of the prior EU-US Privacy Shield. The European Commission’s decision means that personal data can be transferred from the EU to companies which self-certify under the DPF without any other data transfer mechanisms (like Standard Contractual Clauses or Binding Corporate Rules). Further, organisations transferring personal data to importers who participate in the DPF will not need to carry out transfer risk assessments, because the DPF benefits from an adequacy decision.

“This new framework is substantially different than the EU-U.S. Privacy Shield,” said EU Justice Commissioner Didier Reynders. “When deciding whether and to what extent U.S. intelligence agencies should access data, they will be required to balance the same factors as those required by the case law of the EU Court of Justice.”

This new deal seems to stop the threats from companies like Meta to shut down access to Facebook and Instagram in Europe. The European Data Protection Board (EDPB)— a pan-European network of privacy watchdogs — said the new agreement showed “substantial improvements” compared with previous pacts, but still lacked some safeguards. The European Parliament has opposed the new pact, arguing it still allowed some bulk-collection of personal data and included insufficient protections for Europeans’ privacy.

How does the Data Privacy Framework work?

Companies relying on the DPF and using it correctly are not at risk of fines for data transfers to the United States. The DPF decision also shields companies relying on the DPF from damage claims initiated before national courts. 

U.S. companies on the receiving end of data transfers can now choose between continuing to rely on Standard Contractual Clauses and certifying under the new DPF.

There are some benefits to using SCCs. They are valid for all third countries, not just the US. Also companies are protected if the DPF is struck down. When the CJEU struck down the privacy shield, it was with immediate effect and there was no grace period offered to companies. 

However the DPF is easier and more straightforward. 

Self-certification

Companies self-verify and publicly commit to DPF principles.

Transfer Risks Assessment

Companies transferring EU personal data to the US do not need to carry out more risk assessments.

Privacy Shield conversion

Organisations that previously self-certified under the Privacy Shield can convert their certification into DPF certification.

Handling complaints

Two-tier complaints process to resolve complaints by EU citizens on US intelligence authorities accessing their data. People can submit complaints to the company involved who must process it for free, or to the EU data protection authorities and ultimately to a newly established Data Protection Review Court.

Periodic reviews

The EU Commission will undertake periodic reviews and continually monitor how the DPF functions and US compliance.

SCC’s still valid

Standard Contractual Clauses are still valid and can be used as a fallback option if DPF participation is suspended or struck down.

What does this mean for the UK?

This decision is supposed to enable the establishment of the ‘UK extension to the Data Privacy Framework’ which would facilitate flows of personal data between the UK and the US, known as the ‘Data Bridge’ in the UK. Eligible organisations in the US that wish to self-certify their compliance with the UK Extension can start to do that, but they can’t begin relying on the UK Extension to receive personal data transfers from the UK before the date that the UK’s anticipated adequacy regulations implementing the data bridge for the UK Extension enter into force.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.