The New EU-US Data Privacy Framework: How to Ensure Compliant Data Transfers Going Forward

Welcome to Penneo’s newsletter, where you'll find actionable advice to tackle the challenges faced by your business when it comes to data security & regulatory compliance.?

Today's read is ~9 minutes

Over the last couple of months, newspapers around the world have reported the long-awaited adoption of the EU Commission adequacy decision over the new EU-US Data Privacy Framework (DPF) .?

The adoption of the decision marks a significant step towards restoring an essential and affordable data transfer mechanism after the uncertainty created by the Schrems II ruling .?

The decision concluded that the United States ensures an adequate level of protection – comparable to that of the European Union as living up to GDPR standards – for personal data transferred from the EU to US companies under the new framework.?

On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework without having to put in place additional data protection safeguards.

How did we get here, though? Why was a new Data Privacy Framework needed? And how can companies ensure compliance in EU-US data transfers going forward?

Before diving into what this update means for your business, here is a recap of how we got to this point.

Let’s take a trip down memory lane

• 1998-2000: It all started with the Safe Harbor Privacy Principles, developed to prevent EU and US organizations from accidentally disclosing or losing customers’ personal information.
• 2015: Safe Harbor’s validity was successfully challenged during the legal action launched by the data privacy activist Max Schrems against the Irish Data Protection Supervisory Authority for failing to investigate the transfers of personal data from Facebook Ireland to Facebook Inc. in the US.
• 2016: The Privacy Shield framework was adopted to replace Safe Harbor as a new EU-US data-sharing protocol that allowed transatlantic transfers of personal data to companies that were self-certified under the framework - and could, therefore, ensure high-level protection of personal data, equal to the protection provided by EU data privacy laws.?
• 2018: Max Schrems amended his first claim and filed a second case to the Irish National Courts.?The case was subsequently referred to the European Court of Justice (CJEU), which separately argued that the Privacy Shield Framework failed to protect EU citizens’ privacy rights.?Skepticism over the Privacy Shield’s validity was raised regarding the ability of US intelligence and surveillance agencies to access European citizens' personal data beyond what would be proportionate and necessary under the EU privacy laws.?
• 2020, July: Despite not being in the initial scope of the case, the CJEU invalidated the Privacy Shield with what became known as the Schrems II decision.?With the Privacy Shield no longer being a valid lawful basis for EU-US personal data transfers, companies that wanted to transfer data to a country outside the EU had to?- assess the local law in that jurisdiction,- implement supplementary measures, including Standard Contractual Clauses (SCCs), to regulate the transfers, and?- implement appropriate technical and organizational measures.?Since the SCCs were last updated in 2010, they did not take into account the provisions of GDPR; therefore, the EU Commission adopted new standard contractual clauses for transfers of personal data to non-EU countries.?
• 2022, March: After more than a year of negotiations, the EU Commission and the US government announced that they had agreed in principle on a new Trans-Atlantic Data Privacy Framework, which marked an unprecedented commitment from the United States to strengthen data protection and deepen the relationship with the European Union.?The next step would be translating this arrangement into a US Executive Order to be assessed by the EU Commission.
• 2022, October: US President Joe Biden signed an executive order on the EU-US data-sharing agreement. The executive order limited the ability of US security intelligence agencies to access people’s personal information. The order demonstrated the US commitment to ensuring respect for privacy and enabling economic opportunities.?The main takeaways from the presidential decree can be summarized as follows:?- It added further safeguards for US signals intelligence activities by prescribing that such activities be conducted only when necessary and proportionate for defined national security objectives and taking into account all persons’ privacy and civil liberties, regardless of their nationality or country of residence.- It established data processing rules for personal information collected through intelligence activities and extended the liability of legal, oversight, and compliance officials to ensure appropriate actions are taken to remediate incidents of non-compliance. The policies and procedures of the US Intelligence Community should be aligned to these new rules and annually reviewed to ensure their effectiveness in protecting personal data.- It created a multi-layer mechanism for individuals to obtain an independent and binding review of their claims of violation of their right to privacy under US law. The first layer sees a Civil Liberties Protection Officer’s (“CLPO”) initial investigation of the complaints received to determine the appropriate remediation. The decision of the CLPO will be binding on the Intelligence Community but subject to the second layer of review from the Data Protection Review Court (“DPRC”) established by the Attorney General. Judges on the DPRC will be appointed from outside the US Government, have relevant experience in data privacy and national security, review cases independently, and enjoy protections against removal.?The next step would be for the EU to conduct an “adequacy determination” of the measures to evaluate if they provided sufficient data protection.
• 2023, July: The European Commission adopted its adequacy decision , concluding that the United States ensures an adequate level of protection – comparable to that provided by the GDPR in the EU – for personal data transferred from the EU to US companies under the new framework. Therefore, personal data can now be safely transferred from the EU to the US to US companies certified under the?Framework without having to put additional data protection safeguards in place.

The New EU-US Data Privacy Framework (DPF) in a nutshell?

The EU-US Data Privacy Framework introduces new binding safeguards to address the concerns raised by the CJEU and effectively protect EU citizens’ personal data.

Below are key highlights:

Obligations for US companies?

Participation in the EU-US DPF is based on a system of certification by which US organizations commit to a set of privacy Principles included in the EU Commission Adequacy Decision .?

To be eligible for certification under the EU-US DPF, a US-registered organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the US Department of Transportation (DoT).?

The Principles apply immediately upon certification. EU-US DPF organizations must then re-certify their adherence to the Principles annually.?

Companies that have joined the Privacy Shield can update references in their privacy policies to the DPF and GDPR during a transitional period of three months (from the 17th of July to the 17th of October, 2023). As soon as the references are updated in the privacy policies, the DPF can be used as a lawful data transfer basis.

Limitations for the US Government and law enforcement agencies

The DPF limits the amount of EU personal data that US intelligence agencies can access and includes a number of safeguards regarding the access to EU personal data by US public authorities, particularly for criminal law enforcement and national security purposes.?

Data access is limited to what is necessary and proportionate to protect national security.?

Safeguards for EU citizens

EU citizens can rely on independent and impartial redress mechanisms if they believe US companies have violated their data privacy rights.?

These mechanisms include free-of-charge independent dispute resolution mechanisms and an arbitration panel.?

The DPF also established a Data Protection Review Court (DPRC), to which EU citizens can report the violation of the new safeguards on the collection and use of their personal data by US intelligence agencies. The DPRC? will independently investigate and resolve complaints, as well as adopt binding remedial measures - such as ordering the deletion of the unlawfully collected data.

What does this mean for your business?

Most companies operating in the EU and US welcome this update as a great milestone toward making life easier for their businesses.?

However, there’s still some confusion around the next steps for EU companies to ensure full adherence to the GDPR when doing business with US organizations.?

Many companies still rely on Standard Contractual Clauses and Binding Corporate Rules to transfer EU personal data to the United States. While these GDPR-approved data transfer mechanisms maintain their validity, EU companies need to ensure that the US organizations they do business with also meet the new obligations set by the new Data Privacy Framework.?

How can you ensure compliance in EU-US data transfers going forward?

Here are a few practical steps that can help you in your ongoing compliance work when transferring data to the US:

1. Identify your data chains:First and foremost, data processing activities should be thoroughly mapped and documented. All data processing chains must be uncovered, regardless of whether the transfer is made to a data controller or a sub-processor.?
2. Assess whether the US companies you transfer data to are participating in the Data Privacy Framework:As mentioned above, registered US companies wanting to participate in the DPF need to undergo an official investigation to certify their compliance with the Principles established in the Framework.?You can check whether the US companies you do business with are certified by using a publicly available DPF search tool and verifying their participation status (Active or Inactive). Moreover, you can look at their privacy policies which, if they participate in the DPF, should include information about their active certification.??
3. Update your Standard Contractual Clauses (SCCs):Although Transfer Impact Assessments (TIAs) and Supplementary Measures will not be necessary for data transfers to DPF participants - if you have SCCs in place for some of your business partners who are now DPF participants, these SCCs may be updated to indicate the date of transition to the DPF.
4. Update your list of data processors and indicate those among them that now participate in the DPF:If your company handles personal data and utilizes US-based subprocessors to assist in this data processing, the legal basis of each transfer to a processor should be specified in the data processing agreement.?Moreover, if the legal basis for a transfer changes from the SCCs to the DPF, this should be documented in the data processing agreement.
5. Inform your data subjects if your data transfers to the US previously based on SCCs will now take place on the basis of the DPF:US companies participating in the DPF must update their Privacy policies for data subjects with information about the new transfer basis.?EU data controllers that transfer data to US companies that will act as data processors may link to the information in their privacy policy.?

Next steps

The new framework introduces significant improvements compared to the mechanisms that existed under the Privacy Shield and lessens the burden of implementing the CJEU-permitted supplementary measures for many European companies.

The functioning of the EU-US Data Privacy Framework will be subject to periodic reviews carried out by the European Commission, together with representatives of European data protection authorities and competent US authorities.

The first review will take place within a year of the entry into force of the adequacy decision in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice.

Leveraging digital solutions like Penneo to manage documents and data can go a long way in keeping information safe and confidential.?

At Penneo, we process and store personal data within the EU and maintain encrypted backups in EU data centers. Aside from ensuring full GDPR compliance internally, we also provide features specifically designed to assist you in meeting GDPR requirements, such as automatic data deletion after a set timespan, access control based on NIN, end-to-end encryption, and more.

With Penneo, you can benefit from a high level of comfort regarding data security, as our products are purpose-built to meet the needs of even the most compliance-conscious customers.?

Moreover, Penneo receives a yearly ISAE 3000 report, and we are ISO 27001 and 27701 certified.?

Would you like to hear more about how we can help your organization improve compliance??

Get in touch with us, or try Penneo for free !

Thanks for reading!

If you enjoyed this article, check out Penneo’s website for more content like this, and follow us by subscribing to our email newsletter !

Subscribe and browse our previous newsletters and articles here .