Free Consultation

What Is The EU-U.S. Data Privacy Framework?

Posted on August 20, 2023/Domonic Grande

The EU-U.S. Data Privacy Framework (DPF) was created to provide U.S. companies a clear means for EU-U.S. data transfers to comply with the GDPR. The DPF is the replacement to the EU-U.S. Privacy Shield which was invalidated in July of 2020 following the Schrems II ruling.

On July 10, 2023, the EU-U.S. Data Privacy Framework (DPF) was deemed adequate by the EU Commission. Since Privacy Shield’s invalidation, U.S. and EU government officials have been negotiating a replacement EU-U.S. data transfer mechanism for personal data. This is especially good news for companies who maintained their certification with the EU-U.S. Privacy Shield.

What is the EU-U.S. Data Privacy Framework?

The DPF (as it is known), is a framework for U.S. companies to certify to, to satisfy the GDPR when transferring personal data from the EU to the U.S. Certifying to the DPF is agreeing to a set of principles which honor the privacy rights set forth by the GDPR. Once a company is certified, the principles become enforceable.

EU-U.S. Data Privacy Framework Principles

The DPF shares the same principles with the U.S.-EU Privacy Shield which is very similar to the 7 principles of the GDPR. Those principles are:

  1.  Notice – An individual must be told what type of data is collected about them and how it will be used. They also must be told how to contact an organization for inquiry or complaint.
  2.  Choice – An individual must have the right to opt out of having their data shared, used for different reasons than originally collected and the technical means to exercise their choice. (e.g., opt out of having data shared or used)
  3.  Accountability for onward transfer – Organizations are responsible for complying with the choices made by individuals about the use of their data (e.g., selling or sharing their data).
  4.  Security – Organizations are required to take reasonable and appropriate measures to protect data from loss, misuse, unauthorized access, disclosure, alteration or destruction. This is with the risk of processing and the nature of the personal data in mind. In a nutshell, organizations are required to have security consistent with the risk posed were that data compromised (to individuals NOT the company)
  5.  Data integrity and purpose limitation – Organizations must limit processing of data to what is needed and only use data for purposes compatible with the reasons for which it was collected.
  6.  Access – Individuals must have access to the data organizations have about them and have the right to correct, amend or delete information when inaccurate. (with some exceptions)
  7.  Recourse, enforcement and liability – In short, individuals must have access to independent recourse mechanisms to seek remedy should the principles above be violated.
Data Privacy Framework Principles
The DPF principles, like the Privacy Shield, mirror the principles of the GDPR

Schrems Rulings (History)

Max Schrems is a well-known privacy advocate and attorney. This is a quick reference of his involvement with EU-U.S. data transfers and U.S. privacy frameworks.

Schrems I

Maxmillian Schrems v. Data Protection Commissioner – In the wake of the Snowden revelations, Mr. Schrems brought legal action against the Irish data protection authorities seeking to halt data transfers from Facebook Ireland to Facebook Inc. This led to the invalidating of the U.S.-EU Safe Harbor Framework which Facebook relied upon for EU-U.S. data transfers.

Schrems II

Data Protection Commission v. Facebook Ireland, Schrems – Mr. Schrems challenged the adequacy of EU-U.S. Privacy Shield Framework. U.S. surveillance (FISA) and inadequate legal redress of EU individuals were at the core of this challenge which led to the invalidating of EU-U.S. Privacy Shield Framework.

Schrems III?

EU-U.S. Data Privacy Framework….Will this result in a third Schrems legal challenge? Great question.

What Is The Difference Between Privacy Shield And DPF?

From a U.S. business standpoint, there isn’t a significant practical difference. The rights EU citizens had under The Privacy Shield are very much the same as under DPF. There are two key differences in the DPF.

First is U.S intelligence agencies’ access to the personal data of European citizens. The European Court of Justice (CJEU) ruled that U.S. surveillance was disproportionate and often not needed. Necessity and proportionality are foundational in meeting the GDPR’s requirements (article 6) for lawful processing. In a press release from the EU Commission, the issue of U.S. surveillance programs were specifically mentioned. It is worth noting, this was the largest sticking point and the cornerstone of the Schrems II ruling.

“The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access.”

The second is adequate access of individuals for redress in protected member states as required by the GDPR. Additional avenues were mentioned for individuals as well as the creation of a U.S. Data Protection Review Court (DPRC). In theory, the redress requirements will afford EU individuals a similar ability to hold a company accountable as they would with the GDPR.

“EU individuals will benefit from several redress avenues in case their data is wrongly handled by US companies. This includes free of charge independent dispute resolution mechanisms and an arbitration panel.”

Again, from a U.S. business standpoint, there isn’t a significant difference. These changes have more to do with U.S. government agencies and the ability for EU citizen to exercise their data privacy rights with U.S. companies and government agencies.

Privacy Shield DPF Difference
From a business perspective, with very little change, the DPF is very much a new version of the Privacy Shield

How Do I Certify For The Data Privacy Framework?

If a company maintained its certification with EU-U.S. Privacy Shield, there is very little to be done before you can rely on DPF. There are required privacy policy changes to reflect the DPF instead of Privacy Shield and to comply with the DPF principles but not a significant change.

If your company did not certify or maintain a Privacy Shield certification, it will need to self-certify through the DPF website. This process is very similar to the process for certifying with Privacy Shield (as are the principles and requirements). It should be noted that some sectors are excluded from the DPF such as health care and financial services.

What About The UK And Switzerland?

The UK extension

Since Brexit (2020), the UK now has an equivalent data privacy law. When Privacy Shield was implemented (2016), Brexit had not yet happened. The UK has agreed to an extension of the DPF for data transfers from the UK to the U.S. According to the DPF website, it is a simple election to extend participation to the UK and will renew the same way.

The Swiss-U.S. Data Privacy Framework

The Swiss-U.S. Data Privacy Shield was invalidated in 2020 shortly after the EU-U.S. Privacy Shield. Different from the UK extension to the DPF, the Swiss-U.S. Data Privacy Framework is standalone and not dependent on EU-U.S. DPF. The certification and renewal process remain largely the same.

UK Swiss DPF Extension
With new arrangements made for both the UK and the Swiss, the DPF is expected to work like the Privacy Shield from the U.S. business perspective.

Schrems III

On the NOYB website, they say plainly that they “will challenge the decision” of the DPF being granted adequacy. In a statement on the NOYB site Mr. Schrems said:

“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now.”

This creates an interesting dilemma for American companies. We have seen two EU-U.S. frameworks invalidated and the man who successfully challenged both of them is vowing to do the same with the third. With the recent Meta decision in mind, Standard Contractual Clauses (SCCs) provide uncertainty as well.

Conclusion:

After Privacy Shield’s invalidation, many U.S. companies were left scrambling trying to figure out a legal means to move data from the EU back to the U.S. Despite the DPF’s commitment to meet the EU privacy standards, it will almost certainly see legal challenges to its adequacy. With no meaningful difference between Privacy Shield and DPF from a business perspective, it seems likely that challenges and later concessions on the U.S. side will be aimed at government agencies vs. U.S companies. With this being the third attempt at this framework and the ‘grandfathering’ certification from Privacy Shield to DPF, the U.S. Department of Commerce seems committed to its success and the EU Commission seems satisfied with the adjustments. Corporate legal teams will rightly be looking at adoption with additional scrutiny but with minor change from Privacy Shield to DPF… DPF is certainly worth considering.

Recent Posts

Categories

Schedule a Free Consultation

We'll respond within 24 hours to schedule a call with one of our firm's partners. No pressure! We're IT/compliance folks and not pushy — and we like that about us.

FREE CONSULTATION
Scroll to Top