On 10 July 2023, the Commission of the European Union (“EU”) approved a new EU-US data privacy adequacy decision, officially launching what will now be called the “EU-US Data Privacy Framework” (“DPF”).
For background, the EU created the world’s first personal data privacy regime in 2016 — which became effective in 2018 — called the General Data Protection Regulation (“GDPR”). Among other regulations, the GDPR prohibits the transfer of European personal data to third countries (like the U.S.) unless the data-receiving business has been certified as having a GDPR-compliant level of data protection. The new DPF creates the procedures and standards for U.S. companies to become certified, which will allow them to receive data transfers from EU business entities and EU locations.
Preventing the interruption of these data transfers is enormously important for both U.S. and EU businesses, particularly given the size of the Internet marketplace. For example, if a European consumer purchases a product online from a U.S.-based company or sales platform, there is a transfer of that consumer’s personal data from the EU to the U.S. This is because “personal data” includes such things as names, financial payment information, addresses, etc. If a U.S. customer buys a European product online, the same is true in the opposite direction. Just as importantly, U.S. and European companies process and store consumers’ personal data in many locations around the world. So, for example, a data processing center in Ireland operated by a U.S. business will be constantly transferring data into and out of the EU.
The new DPF replaces its predecessor framework called the Privacy Shield. For various technical and legal reasons, the Privacy Shield was deemed unlawful by the EU’s high court in 2020. The new PDF is intended to resolve those technical and legal issues. That being said, the new DPF is very similar to the Privacy Shield framework. The additions to the new DPF generally involve requirements that U.S. entities have some compliant dispute resolution mechanism for EU consumers who have data-related complaints.
To be certified, a U.S. company must implement data collection/processing policies and procedures that are compliant with GDPR regulations. The new DPF identifies the basic level of compliance that is required. As a few examples, a U.S. entity must disclose what data is collected and processed, the business purpose of data collection/processing, reasons for transferring data to third parties, provide “opt-out” mechanisms, etc. And, as just noted, there must be some method for EU consumers to register data-related complaints, and there must be a dispute resolution mechanism.
The list of certified U.S. companies is maintained by the US Department of Commerce, and certification must be renewed annually. If a U.S. entity is certified, then an EU-based data exporter can transfer personal data to said company and, presumptively, be in compliance with the GDPR. Otherwise, a number of other steps and safeguards are required by the GDPR. These include such things as the preparation of a data transfer impact assessment, the requirement of the inclusion of certain contractual clauses in agreements with the data-receiving entity, the implementation of binding corporate rules by the data-receiving entity, etc.
Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
