From Safe Harbor to Privacy Shield to what is now known as the EU-US Data Privacy Framework, the transfer of personal data between the EU and the US has been a decades-long roller coaster ride.
Transferring personal data from the EU to the US has become more complicated and expensive since Schrems II. A data transfer agreement to restore personal data flows between these economic regions is critical to healthy commerce, trade and investment. Privacy professionals have been patiently awaiting an adequacy decision since March 2022, when a new agreement was announced.
A decision on the adequacy of the EU-US data privacy framework has been announced
now that The European Commission adopted a positive adequacy decision For the EU-US data privacy framework, companies can self confirmation Their participation in the data transfer mechanism starting on Monday, July 17, 2023. The EU-US Data Privacy Framework (and UK extension) replaces Privacy Shield and regulates transatlantic data flows from July 2023.
European entities participating in the new framework are able to transfer personal data to participating companies in the United States without the need to activate additional data protection measures. If your company has used another data transfer mechanism such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), there are still benefits to participating in the Data Privacy Framework.
For example, SCCs:
-
- Transfer Impact Assessments (TIAs) required
- May require additional steps
- Every contract has to be negotiated
- Every new transfer must be updated
The data privacy framework will not require a TIA or supplementary measures and will only need to be approved/validated/renewed once a year. New transfers will be eligible according to the existing mechanism. As a data transfer mechanism, the Data Privacy Framework will require fewer internal resources and is more cost-effective for SMEs compared to SCCs.
How is the EU-US data privacy framework different from the Privacy Shield?
The Court of Justice of the European Union (CJEU) struck down the Privacy Shield due to US government access to data, not because of trade protection concerns.
From a business perspective, the data privacy framework is similar in many ways to the previous agreement. But he addresses the surveillance concerns raised in the Rames II decision as detailed in Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities”. 
In addition, the US established a Data Protection Review Court (DPRC) Provide European individuals with an adequate redressal mechanism for appropriate complaints of violations of United States law with respect to its intelligence activities.
so The obligations for businesses previously verified by Privacy Shield will be minimal. God Data Privacy Program FAQs Explains, “The EU-US DPF does not create materially new obligations for participating organizations with regard to the protection of EU personal data. The privacy principles and the process for initial self-certification and annual re-certification remain substantially the same.”
God main action For organizations it will be necessary to clarify privacy notices for individuals in the EU and to confirm that the notices contain all the disclosures required by the data privacy framework notice principle.
If your data processing agreements with third parties refer to the Privacy Shield, those agreements should be updated to refer to the Data Privacy Framework instead.
What about Schrames?
As many suspected, Max Schrames and the NOYB are not happy with the new data transfer agreement between the EU and the US.
“We now had ‘ants’, ‘umbrellas’, ‘shields’ and ‘frames’ – but there is no fundamental change in US surveillance law. Today’s press statements are almost a verbatim copy of those of the past 23 years. Just declaring that something is ‘new’, ‘strong’ or ‘effective’ does not cut it in the court of justice. We would need changes to US surveillance law to make it work – and we just don’t have it.”
Sharmes also explains that there are various options to challenge the new framework and expects her to return to the Court of Justice. “Until the beginning of next year.”
And yet, when Alex Grinstein, director of Privacy Shield | The data privacy framework at the FTC was Asked about another challenge in the Sharmes courtHe expressed that the FTC and the European Commission believe they have addressed the concerns raised in the Schrems II decision.
For now, this current framework restores an important legal basis for transatlantic data flows and participation in the digital economy to expand economic opportunities. And if the past is any indication, it took four years for the CJEU to examine the Privacy Shield challenge. Experts expect it will take two to three years for the CJEU to review the EU-US data privacy framework.
Accepting data privacy framework validation
Companies must meet stricter requirements to protect Europeans’ personal data under the new framework.
A Summary of the main requirements for participating organizations:
-
- Inform people about data processing
- Provide free and accessible dispute resolution
- Cooperation with the US Department of Commerce (DoC)
- Maintain data integrity and purpose limitation
- Ensure responsibility for data transferred to third parties
- Transparency related to enforcement actions
- Make sure commitments are kept as long as the data is kept
For organizations that have not opted out of Privacy Shield, there is a three-month grace period to update company policies to reflect the new data privacy framework. This grace period provides the FTC with continued coverage to enforce companies’ Privacy Shield obligations. The Privacy Shield and Data Privacy Framework certification renewal date will not change.
>>> Review the full EU-US and Switzerland-US Privacy Framework and the UK extension to the EU-US and/or the Swiss-US Data Privacy Program Evaluation Criteria.
Swiss-US data privacy framework and UK extension
Participation in the EU-US or Swiss-US data privacy frameworks Also allows the participating organizations to participate The UK extension to the EU-US data privacy framework To enable the transfer of data from the UK to the US
While organizations can prepare for the Swiss-US Data Privacy Framework and UK expansion now, Data transfer benefits under those frameworks are not available until each country presents an adequacy decision for the US
Why use TRUSTe vs. self-certification?
Data Privacy Framework Validation and Seal is the simplest, most reliable and cost-effective way to ensure compliance for EU-US personal data transfers. Validation provides strong demonstration that you have met DoC and European Commission obligations.
The public seal shows consumers and trading partners your standard of compliance. That is, you will not have to apply complicated supplementary measures.
Certification is administered by the US DoC, which processes applications for certification and monitors whether participating companies continue to meet certification requirements. Compliance with the Framework will be enforced by the US FTC.
TRUSTe’s verification process helps companies prepare for self-certification with the DoC and provides accountability oversight. Your girlfriend can Self-affirmation with confidence Knowing that TRUSTe, as an Accountability Agent, has verified that your organization complies with the principles of the Data Privacy Framework with the appropriate data protection measures in place.
Alternatively, companies can also use TRUSTe dispute resolution services (independent compensation mechanism).
TRUSTe assurance process
Take a privacy review
Understand your data policies and practices with a privacy analysis.
Demonstrate compliance
Answer questions as required to ensure adherence to framework principles.
Personalized action plan
Receive a gap analysis and action plan that includes written guidance on your compliance position and recommendations for remediation to achieve compliance.
correction and verification
Collect, compile, or generate documents or processes to demonstrate compliance.
Privacy notice review and seal security
TRUSTe acts as your verification agent for your US Commerce Department submission, including a TRUSTe-reviewed privacy notice, approval letter, and public release seal.
Ongoing monitoring and guidance
Continuous compliance monitoring and dispute resolution provide privacy expertise to your business. Documentation and an audit trail are available if needed.
Strengthen your data privacy compliance
Minimize the paperwork, legal fees and risk for moving your company’s international data today. Learn more about TrustArc | TRUSTe Data Protection Framework Verification Packages.
