July 17, 2023

What Companies Need to Know About the New EU-US Data Privacy Framework for Cross-Border Data Transfers

On July 10, 2023, the European Commission adopted an adequacy decision for the new EU-US Data Privacy Framework (“DPF”), the revamped transatlantic framework designed to support transfers of personal data from the EU to companies in the US that self-certify compliance with the DPF’s privacy requirements.

Here is what your organization needs to know:

How Can I Self-Certify To The DPF?

Organizations that wish to self-certify must submit an application beginning July 17, 2023, on a new website that will be set up by the Department of Commerce (DoC). The application will require information such as the name of the organization and a description of the organization’s purposes for processing personal data, as well as the appointment of an independent recourse mechanism to investigate unresolved complaints related to the DPF Principles. Organizations must obtain the DoC’s approval to be added to the list of DPF participants. Organizations must also update their publicly posted privacy policy to commit to complying with the DPF Principles. To maintain certification, organizations must pay a fee and recertify annually.

Similar to the now defunct Privacy Shield and Safe Harbor before it, the DPF commits US companies that receive European data to handle the imported European personal data in accordance with the following DPF core Principles:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement and Liability

I Am Already Certified Under The EU-US Privacy Shield. Do I Still Need To Certify Under The DPF?

Organizations that previously certified compliance with the Privacy Shield must update their privacy policies by October 10, 2023, to commit to compliance with the DPF Principles. We expect the new DoC website to describe what the privacy policy updates should entail. Organizations currently certified to the Privacy Shield do not need to make a self-certification submission to participate in the DPF, and may begin relying immediately on the DPF adequacy decision to receive personal data transfers from the EU.

Does The DPF Apply To Transfers of Personal Data From The UK To The US?

The UK and the US have reached a commitment in principle to establish a “data bridge,” which is a “UK Extension” to the DPF. Organizations in the US that wish to self-certify their compliance pursuant to the UK Extension may do so. However, organizations may not begin relying on the UK Extension until the UK’s anticipated adequacy regulations implementing the data bridge are in force.

Does The DPF Apply To Transfers of Personal Data From Switzerland To The US?

The Swiss-US Data Privacy Framework (Swiss-US DPF) Principles will enter into effect on July 17, 2023. Organizations that self-certified to the Swiss-US Privacy Shield Framework Principles must now comply with the Swiss-US DPF Principles, including updating their privacy policies by October 17, 2023. These organizations do not need to make a self-certification submission to participate in the Swiss-US DPF; however, they may not begin relying on the Swiss-US DPF to receive personal data transfers from Switzerland until the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-US DPF.

Will The DPF Fare Any Better Than The Safe Harbor or The Privacy Shield?

While noyb, the non-profit group led by privacy activist Max Schrems, has already announced that it will challenge the DPF in court, there is some reason for optimism. Under the DPF, US authorities have implemented new necessity and proportionality limitations on data access for intelligence purposes, as well as new oversight and redress mechanisms (including the new Data Protection Review Court) to better align with EU requirements. For more information about the new US protections in place under the DPF, read our previous coverage here. As with the previous two transatlantic frameworks, it remains to be seen whether the DPF will withstand review by the European courts.

Should Organizations Continue To Rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) To Transfer Data From The EU To The US?

Companies may continue to rely on SCCs or BCRs rather than replacing their cross-border transfer framework with the DPF. For companies continuing to rely on SCCs, a transfer impact assessment (“TIA”) will still be required, but completing a TIA will be simpler. This is because the US protections set out in Executive Order 14086 (including a new independent redress system for EU individuals and limitations on personal data collected by US intelligence authorities in the area of national security) also apply to transfers made under SCCs. Now that these protections are in force, they will support the TIA’s analysis of US laws for ensuring “essential equivalency” with EU data protection requirements.

Where Can I Get Further Information About The DPF?

On July 20, 2023 at 11:00 a.m., join a webcast hosted by Goodwin to get practical guidance on the DPF’s privacy obligations, the self-certification process, and enforcement mechanisms. The panel will also specifically address the obligations of companies that are currently certified under the EU-US Privacy Shield, as well as the expected legal challenges to the DPF, and how and when these challenges may impact the Framework’s long-term viability.

For assistance with certifying or re-certifying to the DPF and advice on implementing appropriate data transfer tools, please contact our Data Privacy & Cybersecurity team.