What is the new EU-US Data Privacy Framework?
What is the new EU-US Data Privacy Framework?
The White House recently released an executive order that implements the much-anticipated EU-US Data Privacy Framework (DPF). Together with the Department of Justice regulations, the DPF seeks to address two key shortfalls of the Privacy Shield framework, which the Court of Justice of the European Union (CJEU) cited in the ‘Schrems II’ decision as reasons for invalidating it:
- The absence of necessity and proportionality limits on the US surveillance programs and
- Insufficient judicial redress rights for individuals to challenge the US surveillance they consider to be unlawful.
Under the DPF, US intelligence programs will now be curtailed to what is necessary and proportionate. In other words, the personal data of European data subjects will no longer be subject to unrestrained, bulk surveillance. Moreover, a two-layer redress mechanism will be introduced enabling data subjects to challenge unlawful surveillance by US intelligence services.
For these reasons, DPF is expected to withstand a possible challenge in the CJEU, though some have already expressed doubts as to whether the DPF satisfies the EU law.
How does this affect my organisation?
For now, this development has no direct impact on the existing data flows between the EU and the US. Until the European Commission formally recognises the US as a jurisdiction providing adequate data protection safeguards (through a process known as ‘an adequacy decision’), transfers to the US must continue to rely on other currently available mechanisms, e.g., standard contractual clauses (SCCs), binding corporate rules, etc.
What’s next and how this might affect our organisation in the future?
The European Commission will now initiate a process to issue an adequacy decision for the US. This is a complex process consisting of several steps, and we expect that it will take at least 6 months.
If the European Commission issues an adequacy decision for the US, personal data will flow freely between the EU and the US for organisations self-certified to the DPF’s commercial principles. In other words, you will no longer need to have SCCs in place or to conduct accompanying transfer impact assessments (TIA) and implement supplementary measures.
Notably, if issued, the European Commission’s adequacy decision in relation to the US will not affect restricted data transfers caught by the UK’s data protection laws. Organisations in the UK will still have to comply with the data transfer rules and continue to use the relevant tools currently in place (such as the international data transfer agreement and transfer risk assessments). If the European Commission issues the adequacy decision, it is likely that the UK will follow suit and also declare the US as ‘adequate’. If this happens, it will mean free data flows between the UK and the US entities as well; so, it is important that UK based organisations with an exposure to data transfer to the US keep an eye on the outcome.
What should I do before an adequacy decision is issued?
Until the European Commission issues the adequacy decision, you should continue to use other mechanisms for international data transfers (such as SCCs approved by the European Commission in combination with appropriate TIAs and relevant supplementary measures).
You should also make sure that you have updated any transfer agreements entered before 27 September 2021 that still rely on the previous version of EU SCCs. The deadline for this expires on 27 December 2022.
If you have any queries or would like further information about BDO UK’s data protection services, please visit our website.