New EU-US Privacy Framework
On July 10, 2023, the European Commission adopted its adequacy decision regarding the EU-US "Data Privacy Framework". It is the third attempt to establish safe and trusted EU-US data flows. The previous EU-U.S. Privacy Shield framework, which facilitated transatlantic data flows, was invalidated by the EU Court of Justice (ECJ) in the July 2020 Schrems II decision. The new EU-U.S. Data Privacy Framework (DPF), states that the United States is to provide an adequate level of protection - comparable to that of the European Union – when the parties comply with the DPF.
Why was the DPF concluded?
The data privacy framework was developed to facilitate the free flow of data between the United States and the EU. A coordinated approach to the challenges of today's changing digital marketplace and data-intensive business models is increasingly important. The EU-US DPF is intended to ensure that personal data is collected fairly, for a specific purpose and then used only to the extent that it is compatible with the purpose of the processing.
The framework is mainly intended to protect civil liberties by limiting US digital intelligence activities and to introduce a two-step independent redress mechanism for data subjects. Based on the new decision finding an adequate level of protection for personal data, data will be able to be transferred securely from the EU to US companies without introducing additional protective safeguards. The decision aims to ensure that EU data subjects continue to enjoy important privacy protections while allowing businesses to operate in the global economy. The DPF is a response that shall close the gaps in the Privacy Shield concluded between the EU and the US in 2016.
The data protection granted under the EU-US DPF applies to personal data transferred between the EU and US organizations that have joined and subordinated itself to the DPF. Such organizations must comply with the Data Protection Framework by, among other things, updating their privacy policies by October 10, 2023.
Is the DPF applicable to data transfers from Switzerland?
Although the EU legislation is not binding on Switzerland, Swiss companies processing personal data under the GDPR may rely for transfer of such data on the adopted Data Privacy Framework to fulfil its GDPR obligations. However, the DPF is not yet applicable to data transfers under the Swiss Federal Act on Data Protection.
Following the revocation of the 2020 EU-US Privacy Shield. The Swiss Federal Data Protection and Information Commissioner (FDPIC), like the ECJ, ruled that the CH-US Privacy Shield does not provide an adequate level of protection for data transfers from Switzerland to the US. Following the EU adequacy decision, the FDPIC issued a statement on July 11, 2023 that he has taken note of the EU adequacy decision but it will be up to the Federal Council to assess whether the CH-US DPF will grant an adequate level of data protection. Such assessment cannot be officially performed until September 1, 2023. Until the CH-US DPF is finalized and assessed, Switzerland's adequacy list will remain unchanged. Hence, companies that must comply with the FADP cannot, for the next few months, rely on the new EU-US DPF for data transfers to the US.
Next steps on the US side
On July 17, 2023, the rules of the Swiss-U.S. Privacy Shield Framework will enter into effect on the US side. US companies that self-commit to the framework must, among other obligations, update their policies by October 17, 2023. US companies with a valid CH-US Privacy Shield certification do not need to make a separate, initial self-certification submission to join the CH-US DPF.
In addition, on July 17, 2023, the International Trade Administration will launch a DPF program website, allowing U.S.-based organizations to pre-certify themselves. The platform is also expected to allow participating organizations to make annual submissions for recertification, and to include a collection of materials that create guidelines and information about the DPF program and its oversight.
Facing legal challenges
The NGO NOYB, with its famous member Max Schrems, is critical of the new DPF. They suggest that the new transatlantic data protection framework is a big copy of the previous Privacy Shield of 2016. The organisation stresses that the likelihood of the new regulation being subjected to the ECJ is inevitable and could happen as early as this year or early 2024. According to NOYB, the new regulation has changed almost nothing in US law or in the EU's approach, and the fundamental problem arising from FISA 702 has not been solved, and the European Commission shows little concern for the rule of law and the privacy of citizens.
Compliance check before relying on the DPF
As the new EU-US DPF is a new milestone in transatlantic data transfers, it remains to be seen how long it will be legally valid and not be overturned by the ECJ. If your data transfer is to be based on the new DPF, you need to assess the following:
1. Is the US-based party to the transfer certified under the X-US DPF?
2. Is the EU-US or later the CH-US DPF applicable to the transfer?
3. Is the DPF recognized as providing an adequate level of data protection in your jurisdiction?
International data transfers remain a challenge and non-compliance can result in severe fines. We are happy to analyse your specific use case and assist you with compliant data flows. Simply contact our specialists to discuss how we can support you.