Release date: 09/05/2023
To solve the data transfer issue between the European Union (EU) and the United States (US), representatives from both sides have been working on a new data privacy framework that addresses the concerns raised by the Court of Justice of the European Union (CJEU) in the Privacy Shield case. On July 10, 2023, the European Commission formally approved the EU-U.S. Data Privacy Framework (“DPF”). This new Framework aims to provide a solid legal basis for transatlantic data transfers while ensuring that EU personal data is protected in line with the EU’s data protection standards.
Data transfer from the EU to any third country outside the EU relies on a few mechanisms. One is the adequate decision that the EU approved for certain countries. There are currently fifteen recognized countries, including Japan and the Republic of Korea. The US is the latest to obtain adequacy status via the new DPF.
Many might remember that back in history, on October 6, 2015, the EU-US transfer tool Safe Harbor was invalided. Less than a year later in 2016, the European Commission issued an adequacy decision on the EU-U.S. Privacy Shield Framework, which replaced the Safe Harbor tool. Since then and until 2021, the EU-US Privacy Shield has been the most significant Framework governing personal data transfer between the EU and the US. The Privacy Shield was designed to provide a legal mechanism for companies to transfer personal data from the EU to the US while ensuring the data was protected following EU data protection laws. However, the EU-US Privacy Shield faced legal challenges. In July 2020, as part of the “Schrems II” ruling, the CJEU invalidated the Framework due to the US surveillance practices, EU personal data transferred to the US did not receive equivalent protections to those in the EU, which they deemed not in line with EU data protection standards. Following the invalidation of the Privacy Shield, companies have had to rely on other data transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to transfer personal data between the EU and the US legally, not to mention that SCC was also impacted during the “Shrems II” ruling.
With the newly approved EU-US DPF, participating companies are deemed to meet adequate privacy protection for personal data transfer and do not need prior authorization. The new DPF is also a more cost-effective way for small and medium companies to comply. Although the DPF incorporated the GDPR characters, complying with the DPF does not equal compliance with the GDPR. Instead, it is only a subset of the requirements for international data transfer. The new framework also has the UK Extension and the Swiss-U.S. DPF, covering the data transfer from those countries to the US. While some details still need to finalize from the Swiss and the UK sides, companies can start the self-certification process already. The DPF also made it easy for companies already part of the Privacy Shield program to switch to the DPF to update their privacy policies and procedures.