European Commission adopts adequacy decision for the EU-US Data Privacy Framework

What does it mean?

In essence, the EU-US DPF states that, from its entry into force on 10 July 2023, data transfers from the EU to the US can safely be allowed and need not be subject to additional transfer mechanisms, so long as the receiving company participates in the Data Privacy Framework.

As we had already highlighted in our previous post on the EU-US DPF, it introduces several important safeguards and improvements to its predecessor, the EU-US Privacy Shield, which was invalidated in Schrems II, including:

• Limited access to data of EU data subjects by US intelligence services to what is necessary and proportionate. 
• Additional rights for EU data subjects, including the right to obtain access, correction or deletion of incorrect data or data which has been unlawfully handled.
• Improved two-tier redress mechanism for EU data subjects before the new Data Protection Review Court.
• Periodic compliance reviews by the European Commission.

How will it work?

Like its predecessor, the EU-US DPF is a self-certification programme under which participating US companies agree to comply with a detailed set of DPF privacy obligations and principles. This self-certification can be done with the US Department of Commerce’s website. A list of certified companies is published and made available on the website for EU data exporters to verify the status of their data importing counterpart. 

What should an EU-based company do now?

1. Decide whether and for which contractual counterparts the DPF will be relied on.
2. If relying on the DPF, verify if the US-based recipient is certified under the DPF prior to a data transfer and if the specific data transfer in question is covered by it.
3. If relying on the DPF, update the relevant privacy notices, Records of Processing Activities and internal data privacy directives to reflect the new reliance on the DPF.
4. Where the DPF cannot be relied upon or where this is not desired, additional transfer mechanisms like Binding Corporate Rules or Standard Contractual Clauses and their respective Transfer Impact Assessments will continue to be necessary. 

What’s next?

Despite the adoption of the adequacy decision offering long-awaited relief and legal certainty for companies transferring their data to the US, it remains to be seen if and how it will hold up in court.  Max Schrems, founder of NOYB – the European Center for Digital Rights has already communicated that they expect to bring a legal challenge to the Court of Justice of the European Union (CJEU). The US’s surveillance powers remain a main point of concern for critics. 

What are the implications for Switzerland?

The Federal Data Protection and Information Commissioner (FDPIC) issued a statement on 11 July to acknowledge the European Commission’s adequacy decision, and confirmed that it is in advanced discussions with the US over a parallel framework, the so-called Swiss-US Data Privacy Framework.

Should such a Swiss-US DPF be introduced, an adequacy decision by the Federal Council will first need to be issued before Swiss companies can rely on it. With the upcoming revision of the Swiss Federal Act on Data Protection (revFADP) on 1 September 2023, this is likely to take a few more months. Until then, the Swiss adequacy list (on which the US currently does not feature) remains unchanged.

We would be happy to further discuss or address any questions that you may have about the DPF or our data privacy services more broadly.

#social#