The U.S. companies no longer need to implement additional safeguards when importing data from Europe. Learn more about the Data Privacy Framework and what it means for your business.
The European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework (DPF) on July 10, 2023. The decision concluded that the U.S. does ensure an “adequate level of protection” for transferring personal data from the European Union to the United States, as it is required by the EU General Data Protection Regulation (GDPR). The DPF creates a lawful transatlantic framework for free data flow from the EU to DPF-certified companies located in the U.S.
What does DPF mean for U.S. companies?
Let’s dive deeper into the EU-U.S. Data Privacy Framework and learn about the main opportunities and pitfalls of the long-awaited decision.
The adequacy decision is the result of lengthy EU-U.S. negotiations following the European Court of Justice’s Schrems I (October 2015) and Schrems II (July 2020) rulings. The rulings invalidated prior frameworks for EU-to-US cross-border data transfers – the Safe Harbor and the EU/US Privacy Shield. Previously, these programs were considered insufficient to provide Europeans with effective redress rights and adequate protection against interception of their data by US intelligence authorities. This was considered a serious violation of the Article 44 of GDPR which requires personal data exporters to ensure that any recipient of the data outside the EU maintains an “adequate” level of data protection.
Following Schrems II, the United States implemented additional protections addressing the above concerns, which included issuing Executive Order 14086 in late 2022, “Enhancing Safeguards for United States Signals Intelligence Activities.”
The DPF includes provisions similar to those of its predecessors. It includes data retention requirements, purpose limitations, data minimization, data security, and data accuracy principles. However, DPF also includes provisions designed to address the data security and privacy concerns raised in Schrems I and II. Specifically, the DPF includes enhanced data protection safeguards, including limiting US intelligence services’ access to EU personal data. Additionally, DPF also established the Data Protection Review Court, whose role is to “handle and resolve” EU individuals’ complaints regarding concerns over US intelligence activities related to their data.
To be part of the Privacy Framework, American companies must be under the authority of the Federal Trade Commission (FTC), U.S. Department of Transportation (DoT), or other relevant bodies responsible for enforcing the Data Privacy Framework. Moreover, these companies must pledge to follow a defined set of privacy principles, including:
The EU adequacy decision becomes effective on July 10, 2023. However, the DPF only allows secure data transfers to US importers certified under the program, meeting minimum data protection standards. The timing of the first US company certifications is uncertain, and it’s unclear whether companies previously certified under the EU/US Privacy Shield can quickly leverage that compliance for DPF certification or start a new compliance process from the beginning.
If you are an American organization seeking to benefit from the Data Protection Framework, we suggest you do the following:
Many companies may have let their Privacy Shield certifications lapse following the uncertainty created by Schrems II, so there is no better time to check those certifications. If a company was not previously certified under the Privacy Shield, there is work to do with respect to creating additional policies and processes.
The European Commission’s adequacy decision brings relief to numerous businesses involved in global commerce. Nevertheless, the future of the DPF remains uncertain. Privacy advocacy group NOYB, known for challenging Safe Harbor and Privacy Shield in Schrems I and II, plans to appeal the framework as it believes it resembles the Privacy Shield and fails to address crucial surveillance issues. One concern is that the DPF does not offer non-US citizens the same privacy protections as US citizens enjoy under the Fourth Amendment of the US Constitution. The second concern is that the adequacy decision is not beneficial for the U.S. because of the desire of the U.S. administrative authorities to access personal data relating to non-US citizens.
Although the new Data Privacy Framework is likely to raise issues, numerous businesses might still get benefits from the DPF certification. This is because the process could ease compliance and contractual burdens while the appeal is ongoing.
Monitor for updates in the DPF and feel free to contact the Planet 9 team with any DPF-related questions. We’ll be happy to assist!