Well it’s taken a few years of hard negotiation, but at last there’s good news (at least for now …) for EU – US data transfers. The long-awaited EU-US Data Privacy Framework (DPF) has now been voted upon by the EU. Adequacy status has been granted, and enters into force immediately (11th July 2023). This means that the EU considers that the DPF provides protection that is essentially as robust as that provided within the EU.
How does the EU-US DPF work?
The DPF framework is designed to provide a safe, reliable, efficient and cost-effective way for businesses to transfer personal data between the EEA and the United States. The mechanism is similar to the previous Privacy Shield. And with immediate effect, the EU may send personal data to all self-certified US companies that adhere to the DPF privacy obligations without the need for additional transfer safeguards.
- For US companies, the DPF certification process is not onerous – it is very similar for to that adopted for the previous Privacy Shield – participation will arguably be the simplest, most cost-effective and reliable EU-U.S. personal data transfer tool available
- The DPF will simplify the needs for transfer impact assessments, 2021 SCCs, and supplementary measures when sharing data with U.S. businesses certified under and compliant with the new DPF.
Is DPF different from Privacy Shield?
There are some improvements over Privacy Shield. Most notably, the US has said it will limit US intelligence services’ access to EU data to what is “necessary and proportionate to protect national security”. Also, EU citizens have improved redress mechanisms if their personal data is handled against the Framework’s privacy obligations. And there is a new Data Protection Review Court to help address such issues.
Many US companies are already self-certified under the previous Privacy Shield Framework. They will all be able to access a simplified process for self-certifying their commitment to the new DPF. In practice, this means that they will simply need to sign up to the new Data Privacy Framework principles.
What does this mean for the UK?
This provides both hope and expectation that the much-anticipated UK-US Data Bridge (the UK extension to the Data Privacy Framework) could be in place shortly. The Department of Commerce states that from 17 July 2023, DPF-certified US organisations can also self-certify for the UK Extension. US organisations signing up to the UK Extension must also self-certify for the EU-US DPF.
However, the UK Extension may not be relied upon for UK personal data transfers until the UK adequacy regulations are in force. There is no clear date for this, but it is clear that finalising the Data Bridge is a key deliverable for UK-US data flows in 2023.
How long will the DPF last?
Impossible to say. Like all adequacy decisions, it is subject to ongoing scrutiny. The real issue, however, is that we should expect significant legal cases against the EU-US DPF. Though the EU Justice Commissioner has stated that the Commission is “very confident to try to, not only implement such an agreement, but also to defend in all procedures it will have to face” it is worth noting that legal cases against both original frameworks – Safe Harbor and its replacement Privacy Shield – resulted in both ultimately being ruled invalid by the EU Court of justice. However, it is expected that the U.S. efforts to address concerns surrounding data subjects’ redress may help the DPF withstand legal challenges.
Victoria Tuffill
13th July 2023
If you have any questions or concerns about your data protection measures, or data transfers to third countries, please don’t hesitate to take a look here or call 01787 277742 or email dc@datacompliant.co.uk