Companies across both sides of the Atlantic Ocean have been looking forward for a new way to share personal data between the EU and the US. We are happy to say: it’s finally here! On the 10th of July 2023, the European Commission has adopted an adequacy decision for the EU-US Data Privacy Framework (the ‘DPF’). This allows companies to share data between the EU and US in an easier way with lower risks.
Do you work for a European company that shares personal data with the US? Or for a US company that receives EU data? In this article, we explain what the decision means for you and what you still need to do to comply with the GDPR.
What to do for international data transfers?
The General Data Protection Regulation (GDPR) applies when you are sharing personal data about people in the EU. In short, the GDPR allows you to share personal data with companies outside the EU in two ways: through an adequacy decision of the European Commission, or through implementing appropriate safeguards.
An adequacy decision can be taken by the European Commission for countries or territories that provide a level of data protection equivalent to that of the GDPR. If an adequacy decision is made, there are no specific additional safeguards needed to transfer data to that country (other than those that the GDPR requires for all companies, such as data processing agreements). An overview of all adequacy decisions is published here.
If no adequacy decision is made, you can only transfer personal data if you implement ‘appropriate safeguards’. This means that a specific mechanism must be in place to ensure an adequate level of data protection by the recipient, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). On top of that, a transfer impact assessment and additional measures are often required as well. Read more about SCCs here.
How does the EU-US DPF make this easier?
Because the European Commission has made an adequacy decision for the EU-US DPF, you can transfer personal data to US companies without a need for appropriate safeguards or transfer impact assessments, if those companies are DPF certified.
The DPF is a set of privacy obligations that US companies can commit to. A company can certify their participation through the US Department of Commerce (see https://www.dataprivacyframework.gov), and compliance is enforced by the Federal Trade Commission (FTC). In essence, certification to the DPF binds companies to uphold a similar level of data protection as the GDPR. For example, it imposes certain obligations on the company and provides rights to data subjects.
What should European companies do?
You can use the new framework to make data sharing easier if you work for an EU company that transfers data to the US or stores data in the US (e.g. through a US-based service provider).
For new contracts, first check here if the recipient company is DPF certified so you can rely on the adequacy decision. If the company is not DPF certified, implement appropriate safeguards (such as SCCs) and execute transfer impact assessments. In those assessments, you can use the considerations from the adequacy decision to argue that the transfer is safe.
For your current contracts, there is no immediate need to update or re-negotiate. We advise to keep them as agreed earlier for now. If a contract renewal is due and your partner has become DPF certified, you can move to the new mechanism.
The EEA countries Iceland, Norway and Liechtenstein are covered by the DPF in the same way as EU member states. For Switzerland and the United Kingdom, the DPF is effective from 17 July. However, the governments of these two countries must first take an adequacy decision before Swiss and UK companies gain the same benefits as EEA companies. There are no clear timelines for such decisions yet, and appropriate safeguards and transfer impact assessment are therefore still necessary.
What should US companies do?
Again, there is no immediate need to update or re-negotiate existing contracts. However, your EU partners will most likely appreciate your DPF certification and we advise you to use it for new contracts and contract renewals.
Nobody can predict the future. As long as an adequate level of data protection is ensured with the DPF, data can flow freely. However, data protection in the US is not undisputed. In particular, civil rights groups are concerned about far-reaching access rights of US intelligence agencies. The US President has attempted to mitigate these concerns by adopting an Executive Order on this topic to introduce additional mechanisms for limiting access, increasing oversight, and enabling redress. Still, it’s not yet clear if this is sufficient.
Because of this, we expect legal challenges that will ultimately reach the European Court of Justice. There is a possibility that this could invalidate the DPF altogether – just as previous mechanisms like the EU-US Privacy Shield were invalidated. We advise caution, especially when you are dealing with sensitive data, such as data about health. For sensitive data, we recommend to always implement and enforce additional security measures (like pseudonymization, encryption, and generally a privacy be design approach).
Overall, the adequacy decision and the DPF are good news for European companies that share personal data with the US. It makes data sharing easier, because no ‘appropriate safeguards’ are needed. Keep in mind that the recipient company must be DPF certified, be on the lookout for future developments, and make sure you oblige with other GDPR requirements. If you do that, transatlantic data sharing is easier than it has been in years.
Please feel free to contact us to discuss the requirements and possibilities. You can reach us on +31 (0)88 8483 100 or via firstname.lastname@example.org.