The EU and U.S. Data Privacy Framework Passes Final Hurdle
by Amy Weston
July 31, 2023
Earlier this month the U.S. privacy community received welcome news on the GDPR compliance front. On July 10, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (DPF), a shiny new self-certification program available to U.S. companies who receive or otherwise transfer personal data of EU residents. It replaces earlier data transfer mechanisms, namely the “Safe Harbor” and “Privacy Shield,” both of which were invalidated by the EU Court of Justice in the Schrems I and Schrems II cases. While many in the privacy community expect similar challenges to the DPF as those that invalidated its predecessor, some are hopeful that a legal challenge to DPF will not succeed given the DPF’s bolstered complaint redress mechanisms, which include the establishment of an independent federal court-like body to handle complaints. Even if a legal challenge is ultimately successful, experts say it could take up to four years to make its way through the courts, making certification under the DPF a worthwhile exercise for most U.S.-based companies because it will simplify compliance with GDPR and reduce the friction currently associated with EU data flow restrictions.
Successful certification under the DPF means that U.S.-based companies transferring data from the EU will no longer be required to conduct data transfer impact assessments or execute the standard commercial clauses (SCCs) promulgated and maintained by the European Commission. Companies of any size and in all industries subject to FTC or DoT authority can self-certify. In particular, we expect our clients in online services or technology-based industries, whether consumer-facing or business-facing, will benefit from certification. Certified companies may, but will not be required to, continue to rely on the SCCs as a back-up mechanism.
Data transfers to the U.S. from the UK or from Switzerland are not covered by the DPF since neither country is part of the EU. The UK has instead released a proposed “Data Bridge” certification available to DPF-certified companies, which would allow them to receive UK personal data at no additional cost. Personal data transfers from Switzerland may also qualify for protection but will be subject to a separate fee. Both remain pending release of adequacy decisions to be released by their respective data protection authorities.