This post was written by Jessica Mozingo.
In July 2020, the famous Schrems II decision invalidated the EU-U.S. Privacy Shield on which thousands of companies relied for trans-Atlantic data transfers. Since then, standard contractual clauses (SCCs) have become the go-to method of governing data transfers from the European Economic Area.
Three years later, the EU and US have now successfully negotiated a replacement to the invalidated Privacy Shield, in the form of the EU-US Data Privacy Framework (DPF or “Framework”). The European Commission issued an adequacy decision for the Framework, which the EU member states approved. Therefore, as of July 11, 2023, personal data can flow safely from the EU to US companies participating in the Framework without having to put in place additional data protection safeguards. SCCs and binding corporate rules (BCRs) continue to remain options for cross-border data transfer mechanisms.
The Framework will require companies to commit and self-certify to follow a detailed set of privacy obligations established by the U.S. Department of Commerce, as well as annual recertification, much like the former Privacy Shield. It builds on the former Privacy Shield, updating to limit US intelligence access to EU data to only what is “necessary and proportionate” and to establish a Data Protection Review Court as a redress mechanism for EU citizens who wish to challenge access, both of which were key to the Schrems II decision.
Companies can participate in the Framework in various ways:
- Current Privacy Shield participants (still subject to their commitments) have until October 17, 2023 to update their Privacy Policies to refer to the Framework instead. This will be effective to govern data transfers until it is time to recertify, at which point certification to the Framework is required.
- Others not currently participating in the former Privacy Shield will need to certify to the Framework in an application process. Once registration is confirmed, data transfers may be conducted under the Framework.
Transfer impact assessments should still be conducted for data transfers, but the adequacy decision for the Framework may be relied upon if participating in the Framework.
Information on the Framework, and the ability to apply for certification to the Framework, is available on the program’s website dataprivacyframework.gov as of Monday, July 17, 2023.