With this announcement, it appears that the European Union (EU) and United States have finally resolved the issues which caused two previous agreements, the Safe Harbor and Privacy Shield frameworks, to fail under concerns from the Court of Justice of the European Union (CJEU) over potential US government surveillance of EU citizens.
In 2020, CJEU issued the Schrems II ruling in the case of Data Protection Commission v. Facebook Ireland, Ltd., invalidating the basis on which transfers of personal data of European Union citizens were sent to the United States for processing under the Privacy Shield framework. Since then, the General Data Protection regulation (GDPR) has prohibited data transfers to the USA without having the appropriate Standard Contractual Clauses, on the grounds that the USA did not offer a comparable level of protection of personal data to that of the EU.
Due to the importance for business of these international data transfers, the European Commission (EC) and the US Government agreed in principle on this new trans-Atlantic agreement in March 2022, but a number of procedural hurdles remained in place before this framework could resume. In early July 2023, US Secretary of Commerce Gina Raimondo issued a statement that the US had fulfilled its commitments in implementing the DPF. In short order, 24 EU member states representing over 420 million consumers voted in favor of the DPF, indicating they believe it offers an adequate level of protection of personal data, compared to three abstentions. On July 10th, the EC issued an adequacy statement, which provides a new lawful basis for trans-Atlantic data transfers from data exporters in the EU to U.S. data importers who certify compliance with the DPF principles. Now that those hurdles have been cleared, US organizations that certify their participation in the EU-US Data Privacy Framework (DPF) can receive data transfers from the EU in compliance with the GDPR
US organizations that wish to receive data from organizations in the EU under the DPF must self-certify their adherence to its principles, including issuing a conforming privacy policy, identifying an independent recourse mechanism, and self-certifying through the website provided by the U.S. Department of Commerce. On the US side, the Federal Trade Commission will be in charge of verifying organizations’ compliance with DPF principles.
It doesn´t come as a surprise that the US and the EU have been trying for years to establish an adequate environment for their respective organizations to be able to work together without excessive bureaucratic burdens in the globalized and data-centric world that we live in. Which is why, after two failed attempts, it seems that the third one´s the charm.
However, it doesn´t come as a surprise either that Mr. Schrems and noyb, the non-profit European Center for Digital Rights, are already prepared to file a new claim before the CJEU, which then would have the power to suspend the DPF until a decision is reached.
The most sensible advice for EU companies would be to keep the SCCs with any US companies they export data to, even if they certify under the new DPF (just like most of us privacy professionals did when Privacy Shield was approved), as it maintains the status quo in case of invalidation of this new DPF by the CJEU, without disrupting businesses.
National Laws
Learn more about Exterro’s defensible data retention and disposal software solution for meeting GDPR obligations.
Download the PDF version of this Data Privacy Alert here.