EU Commission Adopts New EU-US Data Privacy Framework (EU-U.S. DPF)

On 10 July 2023, the European Commission (EC) adopted its long-awaited adequacy decision on data transfers under the EU-U.S. Data Privacy Framework. The adequacy decision establishes a new legal framework for EU to US data transfers via its DPF Principles and takes effect immediately. US-based organizations can now certify their participation in the framework through the US Department of Commerce and personal data transfers from the EEA to certified companies can take place.

A Brief Overview of EU U.S. Data Privacy Framework

Here is a concise summary of the EU-U.S. Data Privacy Framework provided in the Q&A section:

1. The European Commission's adequacy decision confirms that the United States provides sufficient data protection for personal data transferred from the EU to participating US companies under the EU-U.S. Data Privacy Framework. The EU-U.S. DPF establishes rules and safeguards regarding the access to data transferred under this framework by US public authorities and limits US intelligence authorities' data access to what is necessary and proportionate for national security. Effective oversight and compliance with privacy and civil liberties standards will be ensured.
2. US companies can self-certify their participation in the framework by committing to privacy obligations, such as purpose limitation, data minimization, and ensuring data security when sharing personal data with third parties. The US Department of Commerce will administer and oversee the certification, with compliance enforcement by the US Federal Trade Commission.
3. The EU-U.S. DPF enhances rights for EU individuals and offers various avenues for redress if data is mishandled by US intelligence agencies, including dispute resolution mechanisms and an arbitration panel. A two-layer redress mechanism is in place for individuals whose data is transferred from the EU to US companies and accessed by US intelligence agencies.
4. Individuals can submit complaints to their national data protection authority, which will be transmitted to the US through the European Data Protection Board (EDPB). The Civil Liberties Protection Officer (CLPO) will investigate the complaints, and individuals have the right to appeal to the newly established and independent Data Protection Review Court (DPRC), which can take binding remedial decisions.
5. US Government safeguards in national security, including the redress mechanism, apply to all GDPR data transfers to US companies, regardless of the transfer mechanisms. Therefore, these safeguards also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.
6. The Privacy and Civil Liberties Oversight Board, which will have access to all relevant documents, including classified information, will oversee the intelligence services. Under Article 3 of the adequacy decision, the EC will continuously monitor the application of the EU-U.S. DPF. The EC and representatives of European data protection agencies and relevant US authorities will conduct periodic reviews of the EU-U.S. DPF’s implementation.
7. Within a year of the adequacy decision coming into effect, the first review will be conducted in July 2024 to ensure that all necessary elements have been fully incorporated into the US legal system and are functioning effectively in practice.

Advisory Guidance Issued by U.S. Department of Commerce

Following an adequacy decision adopted by the EU Commission, the U.S. Department of Commerce, specifically the International Trade Administration's Privacy Shield Team, has issued important advisory guidance regarding the Privacy Shield Program. As per this guidance:

• US-based organizations that previously self-certified their commitment to comply with the EU-US Privacy Shield Framework Principles must now comply with the EU-U.S. DPF Principles and update their privacy policies by October 10, 2023. These organizations do not need to make a separate, initial self-certification submission for the EU-US DPF. In fact, they can rely on the EU-U.S. DPF adequacy decision to receive personal data transfers from the EEA. Organizations not interested in participating in the EU-U.S. DPF must follow the withdrawal process outlined by the International Trade Administration.
• Starting from July 17, 2023, eligible organizations in the United States can self-certify their compliance with the UK Extension to the EU-U.S. DPF, but they cannot rely on it for personal data transfers from the United Kingdom until the UK’s anticipated adequacy regulations enter into force. Organizations participating in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF.
• On July 17, 2023, the Swiss-U.S. Data Privacy Framework Principles will enter into effect, and organizations that previously self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles must update their privacy policies by October 17, 2023. Organizations do not need to make a separate self-certification submission for the Swiss-U.S. DPF but cannot rely on it for personal data transfers from Switzerland until the Swiss Federal Administration recognizes the adequacy of the Swiss-U.S. DPF.
• The U.S. Department of Commerce, the International Trade Administration Office will launch the Data Privacy Framework program website on July 17, 2023, to enable organizations to make self-certification and recertification submissions for the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF. The website will also provide guidance materials and updates on the status of these programs.

EDPB Advisory Guidance on Transfers under Article 46 Transfer Tools

It’s also important to note that as per a recently published information note by the European Data Protection Board (EDPB), it has been clarified that transfers based on adequacy decisions (i.e, transfers made to US organizations certified under the US DPF) do not need to be complemented by supplementary measures.

Furthermore, the EDPB has also stated that while transfers to US organizations which are not included in the ‘Data Privacy Framework List’ will continue to require appropriate safeguards, such as standard data protection clauses (SCC) or binding corporate rules (BCR) - which after Schrems II also require data exporters to conduct transfer impact assessments (TIAs) and employ supplementary measures to mitigate the privacy risks posed to data subjects by judicial and legal authorities of a non-adequate third country to the transferred data however, all the safeguards that have been put in place by the U.S. Government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used. Thus, in many ways, the most arduous part of the TIA process has effectively been resolved for businesses as data exporters can now take into account the assessment conducted by the Commission in the Adequacy Decision when measuring the privacy risks posed to the transferred data and which (if it all) supplementary measures to deploy to protect the transferred data.

Finally, the information note by the EDPB has also specified that in the area of national security, EU individuals can submit a complaint to their national data protection authority (DPA) to make use of the new redress mechanism regardless of the transfer tool used to transfer personal data to the US.

What Businesses Need to Do

Under the EU-U.S. DPF, data exporters in the EU who intend to transfer personal data from the EU must first determine whether the receiver in the U.S. is certified under the EU- U.S. DPF and whether the relevant data transfers are covered by such certification before making the transfer. This can be validated by visiting the DPF website. On the other hand, data importers in the U.S. intending to take advantage of the DPF's safeguards should take the necessary procedures to self-certify and comply with DPF Principles.

Also, U.S. organizations previously certified under the EU-U.S. Privacy Shield must update their privacy policies by October 10, 2023, to comply with the new EU-U.S. DPF Principles. No separate self-certification is required for participation, and organizations can immediately rely on the adequacy decision for data transfers from the EU.

Organizations considering getting certified under the EU-U.S. DPF may take the following immediate actions:

1. Audit and map data transfers conducted, especially of personal data from the EU.
2. Stay updated and closely follow guidance from the Department of Commerce’s International Trade Administration on certification and requirements for the new EU-U.S. Data Privacy Framework.
3. Conduct a gap analysis of existing compliance programs with the EU-U.S. Principles that will be administered by the US Department of Commerce for self-certification.
4. Inform data subjects of certification or the particular transfer tool being relied upon via a privacy notice.

How Securiti Can Help

The EU-U.S. DPF is anticipated to be a crucial facilitator of a trans-Atlantic data economy at a time when technologies that compel cross-border data transfers, like AI or cloud computing, play an increasing significance.

Securiti’s DataControls Cloud framework enables organizations to meet EU GDPR compliance requirements through AI-driven PI data discovery, DSR automation, documented accountability, enhanced visibility into data processing activities, and AI-driven process automation. Securiti offers automated data mapping, Data Access Intelligence Governance, DSR rights fulfillment, data breach management and security controls to help you comply with the applicable privacy obligations.

Request a demo to learn how Securiti can help you ensure GDPR and EU-U.S. DPF compliance.