EU-U.S. Data Privacy Framework

On July 10, 2023, the European Commission (EC) approved the EU-U.S. Data Privacy Framework (the “Framework”). The decision was the result of an evaluation and determination by the EC that the Framework ensures an adequate level of protection as compared to EU law. Consequently, transfers of personal data from the EU to a US company participating in the EU-U.S. Privacy Framework are permissible under the EU GDPR. 

Background 

Since 1998, there have been restrictions in place regarding the transfer of personal data from the European Union (currently, there are 27 member states) to any country outside of the European Economic Area (the EU, plus Iceland, Liechtenstein, and Norway). Cross-border data transfers are permissible under EU law if the EC has determined that the laws in the recipient country are ‘adequate’ (i.e., viewed as providing a comparable level of protection as the EU laws), or if the company that will receive the data otherwise provides an adequate level of protection, for example by adopting Binding Corporate Rules or entering into Standard Contractual Contracts.  

While the EC does not view the U.S. privacy laws as being ‘adequate’ or comparable to the protections provided under EU law, the EC and U.S. have worked together over the past two and a half decades to create and sustain a mechanism whereby individual companies in the U.S. can receive personal data from the EU.  

A Brief History of EU-U.S. Data Transfers 

1995: EU Data Protection Directive¹ (the “Directive”) passes, requiring all EU member states to incorporate certain privacy provisions into national law. Required provisions include restrictions on cross-border transfers of personal data.  

1998: the Directive takes effect 

2000: U.S. Department of Commerce (DOC) and European Commission (EC) agree to the EU-U.S. Safe Harbor, under which certified companies are ‘deemed adequate’ for purposes of transfers of personal data from the EU 

2015: the European Court of Justice (EJC) invalidates the Safe Harbor, overthrowing a decision of the Irish Data Protection Commissioner (DPC) in response to a complaint by Max Schrems 

May 2016: EU General Data Protection Regulation² (GDPR) passes 

August 2016: Schrems files a complaint against Privacy Shield with the DPC, which again goes to the ECJ  

2018: GDPR takes effect 

2020: ECJ invalidates Privacy Shield (“Schrems II”) 

2023: U.S. DOC, U.S. Department of Justice, and EC agree to the Data Privacy Framework (“Framework”) 

TBD: Schrems files a challenge to the Framework (see NOYB’s statement of intent) 

Data Privacy Framework Requirements 

As with the Safe Harbor and Privacy Shield – the two predecessors of the current Framework – companies in the U.S. self-certify to participate. Certifying indicates that the company agrees to oversight and enforcement by the U.S. Federal Trade Commission (FTC), the U.S. Department of Transportation (DoT), or other governmental agency. 

Certification and more information about the DPF is available at https://www.dataprivacyframework.gov/. Companies who wish to certify need to comply with the Framework, specifically including the following: 

·         Provide notification of Privacy Framework certification to data subjects; 

·         Provide choice and opt-out mechanisms to data subjects; 

·         Put into place contracts with vendors to ensure appropriate protection of personal data; 

·         Implement and maintain measures to protect personal data; 

·         Only collect and process personal data for those purposes disclosed in a privacy notice; 

·         Allow data subjects to request access, correction, and deletion of personal data and to exercise other available rights 

·         Specify the recourse mechanisms available to investigate any unresolved complaints; and 

·         Adopt controls to ensure compliance with the Framework.

The Framework’s principles, scope of applicability and certification mechanisms generally remain the same as the Privacy Shield. For those companies who previously certified (and maintained certification) to the Privacy Shield, you will automatically be certified to the Framework with no current additional certification required. In case of automatic certification, your company is required to update your Privacy Notice within 3 months (by October 10, 2023) to refer to the Framework instead of the Privacy Shield.  

Next Steps

For companies that operate in the EU and/or provide services to companies that operate in the EU and have not put into place mechanisms to support valid transfer of personal data from the EU, you should evaluate your privacy practices and consider certification to the Framework. If you currently use Standard Contractual Clauses (SCCs), you may also want to consider adding Framework certification. This will give an additional layer of protection, particularly following the recent Meta decision (in May, the DPC fined Meta €1.2b (approx. $1.3b) and ordered it to stop transferring data about EU Facebook users to the U.S.), which calls into question the sufficiency of SCCs.  

Regardless of your approach, keep in mind the decades-long history and lack of clarity regarding transfers of EU personal data to the U.S. and companies operating in the U.S.  

Red Clover is here to help you with certification. Please schedule a meeting to talk about what steps your company needs to take for self-certification with DPF.