On July 10, 2023, the new EU-U.S. Data Privacy Framework (DPF) was adopted as the successor to the Privacy Shield. The DFP thus represents an important development to address the challenges of transatlantic data protection.
Learn everything you need to know about the new EU-U.S. Data Privacy Framework here.
What is the EU-U.S. Data Privacy Framework (DPF)?
The DPF protects personal data when transferred from the EU to US organizations. The mechanism is designed to ensure that European data protection standards are met in the process.
There have been previous agreements between the EU and the USA, such as Save Harbour or Privacy Shield. However, these agreements were overturned by the European Court of Justice (ECJ).
Why is such an agreement needed?
The GDPR provides a legal basis in the EU that guarantees a uniform level of data protection. In doing so, it also regulates restrictions on the transfer of data to countries outside the EU that cannot offer such a level of protection. Under certain circumstances, no personal data from the EU may be transferred to these countries.
In today's world, it is hard to imagine a global exchange of data without it. The fact that data protection standards in the USA are fundamentally lower than required by the GDPR has so far posed major difficulties for this data exchange. The Data Privacy Framework is now intended to counter these.
What does the DPF regulate?
The DPF essentially contains three core elements.
First, participation in the DPF makes it necessary for U.S. companies to participate in a self-certification process. This process is managed by the U.S. Department of Commerce. It also monitors whether the certified companies comply with the DFP regulations. Thus, it acts as an enforcement agency.
Furthermore, complaints mechanisms will be introduced. In this way, accountability is to be strengthened. For this purpose, a Data Protection Review Court will be newly established, which will have investigative powers and can propose solutions, enabling effective means to resolve data protection concerns.
Finally, the DFP regulates the introduction of binding security measures. This will significantly limit access by U.S. intelligence agencies to European data. Access is to take place only to the extent that is necessary and appropriate for national security purposes. This clearly addresses the ECJ's previous criticism of the earlier agreements.
What are the implications of the DPF for businesses?
First of all, the DPF provides more security for companies. Data transfer from the EU to the USA was a red rag in data protection law for a long time. Now, however, clear regulations exist. The DPF prescribes a contractual agreement between the players that ensures compliance with the security level.
U.S. companies must have their eligibility confirmed by the authorities and must first verify it themselves.
While the inclusion of standard contractual clauses is still recommended, it is no longer a necessity. This makes it much easier for multinational companies to operate.
Despite the DPF, continuous action is still required from companies to comply with data protection regulations. Companies continue to be called upon to establish dispute resolution mechanisms and complaint management procedures. They must also continue to take responsibility for the data they process.
In addition, it is to be expected that the DPF will be in an ongoing process of adaptation, which companies must be able to deal with on a permanent basis.
Conclusion
The EU-U.S. Data Privacy Framework is a big step toward more global data protection. In doing so, it dares to perform a difficult balancing act between regulating protection and facilitating transfer.
The agreement is an example of international cooperation in the area of data protection, but it will not eliminate all difficulties overnight. Rather, a steady process is to be expected here as well, which will entail many further developments.
Do you need support and advice in the area of data protection and data security? Our team of experts will be happy to help you. Contact us here!
English 
Deutsch 
Español 
Français 
Polski