EU-U.S. Data Privacy Framework Simplifies Data Import for U.S. Companies

The U.S. companies no longer need to implement additional safeguards when importing data from Europe. Learn more about the Data Privacy Framework and what it means for your business. The European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (DPF) on July 10, 2023. The decision concluded that the U.S. does ensure an “adequate level of protection” for transferring personal data from the European Union to the United States, as it is required by the EU General Data Protection Regulation (GDPR). The DPF creates a lawful transatlantic framework for free data flow from the EU to DPF-certified companies located in the U.S. What does DPF mean for U.S. companies?

• Those U.S. companies that self-certify under the DPF will be deemed to provide an “adequate level” of data protection.
• The U.S. companies will no longer be required to implement additional safeguards when transferring data from the European Union (EU) (e.g. binding corporate rules, the European Commission’s standard contractual clauses, industry-specific codes of conduct or EU certification mechanisms) to ensure that personal data continues to be protected under the GDPR.
• The US Department of Commerce and the US Federal Trade Commission will monitor compliance with “the adequate level of data protection ”.
• The US has committed to restrict access of administrative authorities to personal data subjects and now grants a right of redress to an independent court in case of violations of their privacy rights.

Let’s dive deeper into the EU-U.S. Data Privacy Framework and learn about the main opportunities and pitfalls of the long-awaited decision.

The Framework's Background

The adequacy decision is the result of lengthy EU-U.S. negotiations following the European Court of Justice’s Schrems I (October 2015) and Schrems II (July 2020) rulings. The rulings invalidated prior frameworks for EU-to-US cross-border data transfers - the Safe Harbor and the EU/US Privacy Shield. Previously, these programs were considered insufficient to provide Europeans with effective redress rights and adequate protection against interception of their data by US intelligence authorities. This was considered a serious violation of the Article 44 of GDPR which requires personal data exporters to ensure that any recipient of the data outside the EU maintains an “adequate” level of data protection. Following Schrems II, the United States implemented additional protections addressing the above concerns, which included issuing Executive Order 14086 in late 2022, “Enhancing Safeguards for United States Signals Intelligence Activities.”

The Substance of the Data Protection Framework

The DPF includes provisions similar to those of its predecessors. It includes data retention requirements, purpose limitations, data minimization, data security, and data accuracy principles. However, DPF also includes provisions designed to address the data security and privacy concerns raised in Schrems I and II. Specifically, the DPF includes enhanced data protection safeguards, including limiting US intelligence services’ access to EU personal data. Additionally, DPF also established the Data Protection Review Court, whose role is to “handle and resolve” EU individuals’ complaints regarding concerns over US intelligence activities related to their data.

How to Join the EU-U.S. Data Privacy Framework?

To be part of the Privacy Framework, American companies must be under the authority of the Federal Trade Commission (FTC), U.S. Department of Transportation (DoT), or other relevant bodies responsible for enforcing the Data Privacy Framework. Moreover, these companies must pledge to follow a defined set of privacy principles, including:

• Provide choice and opt-out mechanisms to data subjects;
• Enter contracts with third parties to ensure data protection;
• Implement and maintain reasonable and appropriate measures to protect data;
• Exercise purpose limitation in collection and processing activities;
• Allow data subject access for correction, deletion, or the exercise of other available rights;
• Implement effective mechanisms to ensure compliance with the Data Privacy Framework.

Certification and Enforcement Process

The EU adequacy decision becomes effective on July 10, 2023. However, the DPF only allows secure data transfers to US importers certified under the program, meeting minimum data protection standards. The timing of the first US company certifications is uncertain, and it's unclear whether companies previously certified under the EU/US Privacy Shield can quickly leverage that compliance for DPF certification or start a new compliance process from the beginning. If you are an American organization seeking to benefit from the Data Protection Framework, we suggest you do the following:

1. Review your privacy policy to check accuracy and compliance with the framework.
2. Monitor for updates in the U.S. Department of Commerce to get a clear path for obtaining PDA self-certification.
3. Begin collecting information necessary for the self-certification process. Types of information required can be found on the International Trade Commission DPF Overview website.

Many companies may have let their Privacy Shield certifications lapse following the uncertainty created by Schrems II, so there is no better time to check those certifications. If a company was not previously certified under the Privacy Shield, there is work to do with respect to creating additional policies and processes.

The Main Issues Related to the Data Privacy Framework

The European Commission's adequacy decision brings relief to numerous businesses involved in global commerce. Nevertheless, the future of the DPF remains uncertain. Privacy advocacy group NOYB, known for challenging Safe Harbor and Privacy Shield in Schrems I and II, plans to appeal the framework as it believes it resembles the Privacy Shield and fails to address crucial surveillance issues. One concern is that the DPF does not offer non-US citizens the same privacy protections as US citizens enjoy under the Fourth Amendment of the US Constitution. The second concern is that the adequacy decision is not beneficial for the U.S. because of the desire of the U.S. administrative authorities to access personal data relating to non-US citizens. Although the new Data Privacy Framework is likely to raise issues, numerous businesses might still get benefits from the DPF certification. This is because the process could ease compliance and contractual burdens while the appeal is ongoing. Monitor for updates in the DPF and feel free to contact the Planet 9 team with any DPF-related questions. We’ll be happy to assist!