From Safe Harbor to Privacy Shield to what is now known as the EU-US Data Privacy Framework, personal data transfers between the European Union and the United States have been on a decades-long rollercoaster.
Transferring personal data from the EU to the US has been more complicated and expensive since Schrems II. A data transfer agreement to restore personal data flows between these economic regions is critical for healthy commerce, trade, and investment. Privacy professionals have been waiting patiently for an adequacy decision since March 2022, when a new agreement was announced.
EU-US Data Privacy Framework Adequacy Decision Announced
Now that the European Commission has adopted a positive adequacy decision for the EU-US Data Privacy Framework, companies can self-certify their participation in the data transfer mechanism as of Monday, July 17, 2023. The EU-US Data Privacy Framework (and UK extension) replaces Privacy Shield and regulates transatlantic data flow starting in July 2023.
European entities that participate in the new framework are able to transfer personal data to participating companies in the United States without having to put in place additional data protection safeguards. If your company has been using another data transfer mechanism such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), there are still benefits to participating in the Data Privacy Framework.
For example, SCCs:
- Require Transfer Impact Assessments (TIA)
- May require supplementary measures
- Have to be negotiated in every contract
- Have to be updated for every new transfer
The Data Privacy Framework will require no TIA or supplementary measures and will only need to be certified/verified/renewed once a year. New transfers will qualify under the existing mechanism. As a data transfer mechanism, the Data Privacy Framework will require fewer internal resources and is more affordable for small and medium businesses when compared to SCCs.
How is the EU-US Data Privacy Framework Different from Privacy Shield?
The Court of Justice of the European Union (CJEU) overturned Privacy Shield due to U.S. government access to data, not because of commercial protection concerns.
From a business perspective, the Data Privacy Framework is similar in many ways to the former agreement. But it addresses the surveillance concerns raised in the Schrems II decision as outlined in Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities.”
Additionally, the U.S. has established a Data Protection Review Court (DPRC) to provide European individuals with a proper redress mechanism for qualifying complaints of violations of the United States law in relation to its intelligence activities.
Therefore obligations for businesses that were previously Privacy Shield verified will be minimal. The Data Privacy Framework Program FAQ explains, “the EU-U.S. DPF does not create new substantive obligations for participating organizations with regards to protecting EU personal data. The privacy principles and the process to initially self-certify and annually re-certify remain substantively the same.“
The primary action for organizations will be to clarify privacy notices for EU individuals and to confirm notices contain all disclosures required under the Data Privacy Framework notice principle.
If your data processing agreements with third parties reference Privacy Shield, these agreements should be updated to instead reference the Data Privacy Framework.
What About Schrems?
As many have suspected, Max Schrems and the NOYB aren’t satisfied with the new agreement for EU-US data transfers.
“We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”
Max Schrems, NYOB
Schrems also explains there are various options for a challenge to the new framework and expects that it will be back at the Court of Justice “by the beginning of next year.”
Yet, when Alex Greenstein, Director of Privacy Shield | Data Privacy Framework at the FTC was asked about another Schrems court challenge, he expressed that the FTC and the European Commission believe they’ve addressed those concerns raised in the Schrems II decision.
For now, this current framework restores an important legal basis for transatlantic data flows and participation in the digital economy to expand economic opportunities. And in case the past is any indication, it took four years for the CJEU to examine the Privacy Shield challenge. Experts expect it will take two to three years before an EU-U.S. Data Privacy Framework CJEU examination.
Getting a Data Privacy Framework Verification
Companies must meet strict requirements to protect Europeans’ personal data under the new framework.
A Summary of Key Requirements for Participating Organizations:
- Inform individuals about data processing
- Provide free and accessible dispute resolution
- Cooperate with the U.S. Department of Commerce (DoC)
- Maintain data integrity and purpose limitation
- Ensure accountability for data transferred to third parties
- Transparency related to enforcement actions
- Ensure commitments are kept as long as data is held
For organizations that didn’t withdraw from Privacy Shield, there’s a three month grace period to update company policies to reflect the new Data
Privacy Framework. This grace period provides the FTC with continuous coverage to enforce companies’ commitments to Privacy Shield. Your Privacy Shield and Data Privacy Framework certification renewal date won’t change.
Review the complete EU-U.S. and Swiss-U.S. Privacy Framework and UK Extension to the EU-U.S. and/or the Swiss-U.S. Data Privacy Framework Verification Program Assessment Criteria: Review the criteria
Swiss-U.S. Data Privacy Framework and The UK Extension
Participation in either the EU-U.S. or Swiss-U.S. Data Privacy Frameworks also enables participating organizations to participate in the UK Extension to the EU-U.S. Data Privacy Framework to enable data transfers from the UK to the U.S.
While organizations can prepare for the Swiss-U.S. Data Privacy Framework and the UK extension now, data transfer benefits under those frameworks aren’t available until each country presents an adequacy decision for the U.S.
TrustArc makes our Privacy Shield compliance process easy and straightforward.
Darren D., Chief Information Security Officer
Why Use TRUSTe vs. Self-Certification?
A Data Privacy Framework Verification and seal is the simplest, most reliable, and cost-effective way to ensure EU-U.S. personal data transfer compliance. The verification provides a robust demonstration that you’ve met the obligations of the DoC and European Commission.
The public seal shows consumers and trade partners your standard of compliance. Meaning you will not need to implement complicated supplementary measures.
Certification is administered by the U.S. DoC, which processes applications for certifications and monitors whether participating companies continue to meet the certification requirements. Compliance with the framework will be enforced by the U.S. FTC.
The TRUSTe verification process helps companies prepare for self-certification with the DoC and provides accountability oversight. Your company can self-certify with confidence knowing TRUSTe, as an Accountability Agent, has verified that your organization meets the Data Privacy Framework principles with the appropriate data protection measures in place.
Optionally companies can also use TRUSTe services for dispute resolution (independent redress mechanism).
The TRUSTe Assurance Process
- Conduct Privacy Review: Understand your data policies and practices through a privacy analysis.
- Demonstrate Compliance: Answer questions aligned with the requirements to ensure compliance with the framework principles.
- Customized Action Plan: Receive a gap analysis and action plan including written guidance on compliance posture and remediation recommendations to achieve compliance.
- Remediation and Verification: Collect, compile, or generate documents or processes to demonstrate compliance.
- Privacy Notice Review and Seal Assurance: TRUSTe serves as your verification agent for your U.S. Department of Commerce filing, including a TRUSTe-reviewed Privacy Notice, Letter of Attestation, and a seal for public posting.
- Ongoing Monitoring and Guidance: Ongoing compliance monitoring and dispute resolution provide privacy expertise for your business. Documentation and an audit trail are available in case it’s needed.