EU-U.S. Data Privacy Framework: The New American Dream or Just Data Daydreaming?

On July 10, 2023, the EU Commission gave the green light to the EU-U.S. Privacy Framework, marking a new chapter in the data protection regimes of the U.S. and the EU. This agreement confirms that certified U.S. companies meet adequate data protection standards.?

In this article, we’ll explore what this means for EU-based companies transferring data to the U.S. and whether personal data can indeed flow across the Atlantic without additional safeguards.?

Why Does the EU-U.S. Data Privacy Framework Matter??

The General Data Protection Regulation (GDPR) is particularly strict about where its citizens' data can travel. Moving data outside the EU, including to the U.S? It's not as simple as hitting "send button" The rules are clear: Keep the data secure or face the consequences —just check out the guidelines below:?

• Adequacy Decisions: If the European Commission says that a country outside the EU has adequate data protection, you can transfer data to that country without any extra safeguards. The EU-US Privacy Framework is a great example of this.???

• Standard Contractual Clauses (SCCs) are another option. If there's no adequacy decision, you can use SCCs to make sure your data transfers are still GDPR-compliant. Just make sure you're using the latest SSC version that the Commission has approved.??

• Binding Corporate Rules (BCRs) are another option. Multinational companies can use BCRs to transfer personal data across borders within their group. These rules have to be approved by data protection authorities.?

• Derogations: Sometimes, data can be transferred if there are specific reasons for doing so. For example, if the data subject has given their explicit consent or if the transfer is necessary to fulfill a contract.??

• Specific Contracts or Arrangements: You can also transfer data under tailored contracts or arrangements that meet GDPR standards for data protection.?

Navigating the New EU-U.S. Data Transfer Landscape: What You Need to Know?

The EU-U.S. Data Privacy Framework is the latest attempt to smooth over the Atlantic divide, offering a streamlined route for data transfers. This new framework is intended to replace the previous arrangements:?

• Safe Harbor, which was invalidated by the CJEU in 2015 following the Schrems I decision.?

• EU-US Privacy Shield, which was struck down by the CJEU in 2020 following the Schrems II ruling.?

A third attempt by the European Commission, the EU-U.S. Privacy Framework is designed to facilitate the transfer of personal data to the U.S., theoretically without having to go through extra legal steps.?

Data’s Big Trip: How the EU-U.S. Data Privacy Framework Lets Your Data Cross the Pond with Ease?

The new EU-U.S. Data Privacy Framework is a big change for many, but don't think it's a free pass. To keep your data transfers smooth and legal, it's important to understand when to use Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or any other rules set out in Article 46,?

First things first, is your U.S. supplier or partner—who will be handling the data—certified? Start by checking that on the Data Privacy Framework?

If your US supplier or partner is indeed certified under the EU-US Data Privacy Framework make sure to dig deeper. Check if they use subcontractors in other countries and verify if there are robust safeguards in place and if a Transfer Impact Assessment (TIA) has been completed. Also, ensure your privacy statements are up-to-date and reflect accurate information about third-country transfers.?

If you’re transitioning to the new framework, remember that existing SCCs can be terminated. These clauses are just a contract between parties and remain valid until one party withdraws consent. If SCCs are terminated, you’ll need a new data processing agreement or contract if SCCs were previously serving as your data processing agreement.?

So, what happens if your U.S.? supplier or partner is not certified???

If they're not on the EU-U.S. Data Privacy Framework list, don't worry. Possibly the straightest forward approach is to use Standard Contractual Clauses (SCCs) to make sure your data is safe. It's also a good idea to do a Transfer Impact Assessment, or TIA. Think of it to make sure your data is secure. Make sure the country getting the data has protection standards that are like the EU's. If not, just add a few extra layers of security.?

Conclusion: Smooth Sailing or Just a Mirage??

The new EU-U.S. adequacy decision might seem like a dream come true for hassle-free data transfers, but don't get too comfortable. This decision is probably going to face some challenges, and it could end up being reviewed by the CJEU and even eventually successfully challenged and revoked. The new framework is basically a reboot of previous agreements, with U.S. surveillance capabilities still in play.?

If you're an EU company counting on this adequacy decision, proceed with caution. It's also worth noting that U.S. firms often use subcontractors in other countries outside EU. So, just being certified under the new framework isn't enough. It's important for companies to look closely at which subcontractors they're working with and make sure they meet the strong protections required by GDPR Article 46.??

In short, while the framework might look promising, it's a good idea to stay on your toes and not let your guard down just yet.?

?

Compleye has developed a GDPR service package to support you with the implementation. In 3 days, we will work and train you, provide all mandatory documentation and together we define the security measures that are appropriate for the stage and phase of your company, with the end-result a GDPR Statement. The statement is like a small whitepaper to share with (potential) customers to build trust.? ? GDPR is a great first step to take as a business before implementing a complete Information Security Management System (ISMS) – like the ISO27001.? Because only if you hold already an ISO27001 certificate it is possible to implement and get certified for the ISO27701 standard. Because you can only protect the privacy of your customers if you have a security system in place! Compleye GDPR Assessment, Training and Implementation Pack?

?

?

?

?

?

?