EU Commission Adopts New Adequacy Decision for Safe and Trusted EU-US Data Flows: What you Need to Know
Recent Adequacy Decision Adoption
After years of negotiation and collaboration to reestablish a mechanism for data transfers, the Privacy Shield Framework was invalidated due to concerns over the U.S. signals intelligence. The European Commission recently adopted its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). Now, the United States ensures an adequate level of protection comparable to the European Union for personal data transferred from the EU to US companies under this new framework.
Key principles include a new set of binding safeguards and rules to limit access to data by US intelligence to what is necessary and Proportionate to protect national security. A new two-tier redress system is in place to investigate and resolve complaints of Europeans on access of data by US Intelligence, which includes a Data Protection Review Court. Strong obligations are set for companies processing data transferred from the EU. The DPF also includes specific monitoring and review mechanisms.
Personal data can now safely flow from EU to US companies participating in the Framework, without having to add extra data protection safeguards. The new binding safeguards address all the concerns raised by the European courts, including limiting access to EU data by US intelligence to what is necessary, and establishing a Data Protection Review Court.
President Ursula von der Leyen said, “The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Following the agreement in principle I reached with President Biden last year, the US has implemented unprecedented commitments to establish the new framework. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the US, and at the same time to reaffirm our shared values. It shows that by working together, we can address the most complex issues.”
Features and Benefits
The EU-U.S. Data Privacy Framework offers benefits to U.S. organizations and European partners, including:
- NSafe and secure data flows
- NEnsures the sufficient safeguarding of data when transferred to the US or EU, in compliance with law
- NA thriving digital economy and cooperation characterized by competitiveness
- NSustained data transfers that support billions in international trade annually
- NLegal compliance and acknowledgement by all parties, meeting privacy standards required for international data transfers.
- NSimplified contract provides adequate data protection, eliminating the need for prior authorization in processing contracts
- NCost-efficient compliance requirements are beneficial for small and medium-sized enterprises.
Key Requirements for DPF Participating Organizations
Certain key requirements are needed for organization to participate in the DPF:
- NInforming people about data processing
- NProviding free and accessible dispute resolution
- NCooperating with the U.S. Department of Commerce
- NMaintaining data integrity and purpose limitation
- NEnsuring accountability for data transferred to third parties
- NTransparency related to enforcement actions
- NEnsuring commitments are kept as long as data is held
Informing People about Data Use
Resolving Problems for Free
If there is a data dispute, they can complain to the organization. They will have 45 days to respond. Participating organizations must offer a way for individuals to resolve issues for free. If complaints are made to authorities in Europe, the U.K., or Switzerland, the U.S. Department of Commerce’s ITA has committed to make best efforts to facilitate resolution within 90 days. If resolution fails, organizations must agree to arbitration.
Working with the U.S. Department of Commerce
Organizations must cooperate with the U.S. Department of Commerce by giving them information about data privacy.
Keeping Data Safe and Useful
Organizations should only collect and keep necessary data for their purposes.
Holding Others Accountable
When sharing data with other companies, organizations must ensure those companies also abide by the DPF. They will also need to oversee companies acting as an agent.
Transparency about Enforcement Actions
Participating organizations must make public any DPF-related reports submitted to FTC or the U.S. Department of Transportation.
Keeping Commitments as Long as Data is Held
If an organization leaves the program but is still in possession of data, they must annually affirm commitment of the DPF Principles if it chooses to keep the data.
How to Join
Participation is voluntary, effective upon self-certification. Organizations certify to the International Trade Administration (ITA) and publicly declare commitment to adhere to principles enforceable under U.S. law.
To enjoy benefits of the DPF program, an organization must initially self-certify and then re-certify annually to the ITA through the DPF program website.
1. Verify Eligibility for DPF Program:
U.S. entities subject to FTC or DOT jurisdiction can participate. Personal data transfers under DPF must be linked to an activity within the jurisdiction of listed statutory bodies in DPF Principles.
If your organization uses an independent recourse mechanism for dispute resolution, link the relevant website or complaint form for unresolved DPF compliance complaints.
How to Re-Certify
Organizations in the DPF program must re-certify annually with the ITA. If they fail to do so or voluntarily withdraw, they will be removed from the Data Privacy Framework List, losing the right to receive personal data through the program. The commitment to follow the DPF Principles applies to received data for as long as the organization holds it, even if they leave the program. Below are steps for re-certification.
- Check Independent Recourse Mechanism: Ensure you have a free independent recourse mechanism for handling complaints about DPF compliance. Verify its validity and pay the annual fee if cooperating with EU data protection authorities.
- Verification Mechanism: Have a system in place to verify that your privacy practices align with DPF Principles, either through self-assessment or external reviews.
- Contribute to Binding Arbitration: If not done already, contribute to the arbitration fund as required, so individuals can invoke binding arbitration if needed.
- Review Required Information: Familiarize yourself with the information needed for re-certification, which is the same as the initial certification.
- Log in and Update: Log in to your DPF account, update your information, and ensure you have multiple organization contacts.
- Submit and Pay: Submit your re-certification along with the processing fee. The DPF team will review, and if issues arise, you’ll need to address them within the given timeframe.
If an organization’s certification lapses, the ITA will ask if they want to withdraw or re-certify. If they choose to withdraw, they must explain what they’ll do with the data received under the program. If re-certifying, they must confirm they followed DPF Principles during the lapse and explain how they’ll address any issues delaying their re-certification.
The U.S. Department of Commerce launched the DPF program website July 17, 2023, enabling eligible U.S. companies to self-certify their participation in the EU/U.S. DPF.
With trans-Atlantic data flows estimated to underpin trade and investment exceeding trillions annually, the EU-U.S. DPF serves as a crucial mechanism to foster economic opportunities for businesses of all sizes and sectors in the United States. The DPF program is especially beneficial for small and medium-sized enterprises, offering them an affordable and streamlined means to facilitate personal data transfers from the European Economic Area. These data flows between the United States and Europe are unparalleled globally, supporting the $7.1 trillion economic relationship between the U.S. and the EU.
Data Privacy Framework. (2023). Data Privacy Framework Program. https://www.dataprivacyframework.gov/s/. Accessed August 26, 2023.
European Parliament. (2023, July 10). Commission Implementing Decision under the EU-U.S. Data Privacy Framework. [PDF document]. https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf
This information is not intended to serve as legal advice. Nor is it intended to act as compliance advice specific to the processes of any specific company. Application of compliance laws is a company-specific endeavor. We recommend that you contact compliance counsel to discuss the application of information found herein to your operations.