EU-U.S. Data Privacy Framework: How the European Commission’s Decision Affects Data Transfers 

Flag of the European Union outside a building

On July 10, 2023, The European Commission announced its decision to adopt the EU-U.S. Data Privacy Framework (Framework). This new Framework allows US-based organizations to transfer the personal data of EU citizens to the U.S. under a more uniform and standardized regime. At its core, the Framework introduces new safeguards that will address U.S. intelligence services being able to access data subject information by requiring organizations to comply with detailed privacy obligations that will facilitate the transfer of personal data. In other words, data transfers based on an adequacy decision remove barriers for transfer and do not “require any specific authorization” once approved.

How this affects your business

Article 45 of the General Data Protection Regulation (GDPR) allows the European Commission to decide whether a third country – in this case, the US – has implemented appropriate safeguards that offer an adequate level of data protection to data subjects. Before adopting the Framework, the European Commission invalidated previous data transfer mechanisms between the EU and US (U.S.-EU Safe Harbor Framework and EU-U.S. Privacy Shield Framework) on the grounds that they did not provide adequate levels of data protection. Most recently, the EU-U.S. Privacy Shield Framework was invalidated by the Court of Justice of the European Union in the seminal Schrems II case. The court ruled that Privacy Shield, similar to the Safe Harbor Framework, did not protect EEA data subjects’ personal information from the surveillance powers held by the U.S. Government. 

Following the Schrems II decision, organizations were left to implement appropriate data transfer safeguards as outlined in Article 46 of the GDPR in addition to conducting Data Inventory Mapping exercises and implementing enhanced measures to ensure equivalent level of protection as transfers within the EU. This lack of consistency in approach left many organizations wondering whether their own internal practices sufficed to meet regulatory requirements based on the data types they possessed (Personal Data v Sensitive Personal Data). The new Framework will serve to address concerns and create a uniform approach to the transfer of personal data for all US-based organizations conducting business in the EU.

It is important to note that an adequacy decision does not require organizations to implement an identical level of protection as outlined in the GDPR. Rather, the Court of Justice will evaluate various factors before issuing an adequate decision. These include reviewing the following in light of the substantive privacy rights outlined in the GDPR  and determining whether they deliver appropriate levels of protection: (1) effective implementation and (2) supervision and enforcement.

Organizations looking to adopt the new Framework should seek to understand the requirements either by allocating internal resources via the hiring of an expert privacy contributor or by partnering with expert organizations, such as Thoropass, to assist in the implementation of the various requirements. Additionally, new self-assessment or outside compliance review requirements will require the implementation of solid compliance processes. Fortunately, there are expert and knowledgeable staff at Thoropass able to assist you in your compliance journey as you adopt the new Framework for data transfers.

Flags of GDPR countries in the European Union on display
Suggested reading
GDPR countries: What countries are covered by GDPR?
icon-arrow-long

The EU-U.S. Data Privacy Framework

This new Framework will require organizations seeking to leverage the new adequacy decision to be subject to certain additional requirements. The following will provide a high-level overview of some of the requirements addressed in the Framework:

  • Certified Organizations: to be eligible for certification under the new Framework, organizations must be subject to the investigatory and enforcement powers of the Federal Trade Commission or Department of Transportation. 
  • Annual Recertification: Organizations are required to recertify on an annual basis in order to attest to compliance with the adequacy decision. 
  • Purpose Limitation: Organizations can only collect data for a specific purpose. Any deviation from the original purpose of data collection will require notification to data subjects and an opportunity for them to opt-out. 
  • Data Accuracy, Minimization, and Security: Data may be retained in a form that identifies a data subject for only as long as is necessary to fulfill the purpose for which the data was collected. 
  • Transparency: Organizations will be required to inform data subjects of their participation in the Framework as well as the types of data being collected, the purpose of processing, their individual rights, and available redress, to name a few. 
  • Individual Rights: Rights are reflective of those currently found in the GDPR
  • Restrictions on Onward Transfers: Transfers of data from Framework participants to third-parties will require third-party organizations to provide the same level of protection as the Framework. 
  • Accountability: Organizations must implement appropriate compliance measures and verify, via self-assessments or outside compliance reviews, the proper implementation of compliance initiatives. 

These new requirements will serve to create uniformity in approach while also encouraging, and even demanding, that organizations implement new processes like certification, recertification, and compliance reviews. Once implemented appropriately, these requirements will ease the transfer of data between U.S.-based organizations seeking to transfer personal data out of the EU. 

What your organization should do

Your organization can expect changes, based on this adequacy decision, to come quickly and should be prepared to act in response. If your organization is contemplating or currently processing the personal data of EEA citizens, Thoropass experts are available to help you evaluate your current policies, procedures, and processes against GDPR requirements as well as other compliance frameworks such as SOC 2 and ISO 27001. Our trusted experts undergo rigorous training in their disciplines and are equipped with insight and hands-on experience, so you are never alone on your GDPR compliance journey.

Share this post with your network:

LinkedIn