EU-US Data Privacy Framework: data transfers from the EEA to the US to happen
- What is the EU-US Data Privacy Framework?
- Are all companies covered by the EU-US Data Privacy Framework?
- What does the EU-US Data Privacy Framework mean for business?
In May 2023, the Irish Data Protection Supervisory Authority (DPC) issued a high profile decision against Meta. This decision questioned the legality of virtually any transfer of data from the EEA to the US. You can read more about the circumstances of the case in our piece at the link.
Since this decision, European companies cooperating with US partners have been in a quandary about how to organise the transfer of data to these partners. However, on 10 July 2023, the situation became clearer: the European Commission adopted an adequacy decision on the EU-US Data Privacy Framework.
Below, REVERA law group's data protection sub-practice lawyers Alena Potorskaya and Ekaterina Yakoltsevich explain how this will affect international businesses.
What is the EU-US Data Privacy Framework?
The EU-US Data Privacy Framework is a document that sets out the obligations to protect data when it is transferred from the EEA to the US. This document was developed in conjunction with European regulators following the cancellation of the well-known Privacy Shield in 2021. The EU-US Data Privacy Framework provides more data protection safeguards than the Privacy Shield did in its day.
U.S. companies that wish to join the EU-US Data Privacy Framework will need to ensure that certain safeguards are in place to protect data. In particular, such companies will have to comply with the requirement to delete data once the purpose of processing has been achieved (a similar rule is contained in the GDPR).
Are all companies covered by the EU-US Data Privacy Framework?
The EU-US Data Privacy Framework applies only to companies that have voluntarily committed to the standards set out in the document. These companies must be certified annually. Certification, as well as monitoring companies' compliance with the EU-US Data Privacy Framework, will be carried out by the U.S. Department of Commerce.
By confirming its participation in the EU-US Data Privacy Framework, a US company must comply not only with the EU-US Data Privacy Framework standards, but also with the GDPR and applicable US data privacy laws.
To facilitate the certification process, the US Department of Commerce has launched the EU-US Data Privacy Framework website. This site also allows you to check whether a U.S. company has joined the EU-US Data Privacy Framework.
What does the EU-US Data Privacy Framework mean for business?
Under the GDPR, transfers of personal data outside the EEA can only take place unhindered if such a state provides an adequate level of protection for personal data.
On 10 July 2023, the European Commission adopted an adequacy decision on the EU-US Data Privacy Framework. This means that companies that have joined the EU-US Data Privacy Framework are deemed to provide an adequate level of protection for personal data. In other words, the requirements for transferring personal data to US companies that have joined the EU-US Data Privacy Framework will be the same as the requirements for transferring data within the EEA - quite simple.
However, in case a US company is not a member of the EU-US Data Privacy Framework, the transfer of personal data to such companies will be regulated by Article 46 of the GDPR. This article establishes rules for transferring personal data to states that do not provide an adequate level of protection for personal data. And given the recent decision regarding Meta, it will be very difficult to enforce them.
Dear journalists, the use of materials from the REVERA website in publications is only possible after our written permission.
For materials coordination, please contact by e-mail: i.antonova@revera.legal or Telegram: https://t.me/PR_rever