The EU and U.S. Data Privacy Framework Passes Final Hurdle
by Amy Weston
July 31, 2023
Earlier this month the U.S. privacy community received welcome news on the GDPR compliance front. On July 10, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (DPF), a shiny new self-certification program available to U.S. companies who receive or otherwise transfer personal data of EU residents. It replaces earlier data transfer mechanisms, namely the “Safe Harbor” and “Privacy Shield,” both of which were invalidated by the EU Court of Justice in the Schrems I and Schrems II cases. While many in the privacy community expect similar challenges to the DPF as those that invalidated its predecessor, some are hopeful that a legal challenge to DPF will not succeed given the DPF’s bolstered complaint redress mechanisms, which include the establishment of an independent federal court-like body to handle complaints. Even if a legal challenge is ultimately successful, experts say it could take up to four years to make its way through the courts, making certification under the DPF a worthwhile exercise for most U.S.-based companies because it will simplify compliance with GDPR and reduce the friction currently associated with EU data flow restrictions.
Successful certification under the DPF means that U.S.-based companies transferring data from the EU will no longer be required to conduct data transfer impact assessments or execute the standard commercial clauses (SCCs) promulgated and maintained by the European Commission. Companies of any size and in all industries subject to FTC or DoT authority can self-certify. In particular, we expect our clients in online services or technology-based industries, whether consumer-facing or business-facing, will benefit from certification. Certified companies may, but will not be required to, continue to rely on the SCCs as a back-up mechanism.
Companies who maintained their certification under the now-defunct Privacy Shield will have until October 2023 to update their existing policies to reference the DPF and include a statement of adherence to the DPF principles. Companies not currently certified under the Privacy Shield can now self-certify through the Department of Commerce’s DPF website. Certification includes making a public commitment – through a publicly facing privacy policy – to key privacy principles including notice, choice, and accountability for onward transfer. Experts expect the certification process to take anywhere from one to four months to complete from start to finish, depending on the organization’s resources and level of sophistication. The fee to certify will vary depending on the organization’s size but will in most cases be under $1,000.
Data transfers to the U.S. from the UK or from Switzerland are not covered by the DPF since neither country is part of the EU. The UK has instead released a proposed “Data Bridge” certification available to DPF-certified companies, which would allow them to receive UK personal data at no additional cost. Personal data transfers from Switzerland may also qualify for protection but will be subject to a separate fee. Both remain pending release of adequacy decisions to be released by their respective data protection authorities.
Got questions? Need help crafting a DPF-compliant privacy policy? Contact the Carney Privacy Team!
